Solved: Re: IOS-XE SDWAN, PnP and certifcates

alxzed · ‎01-08-2019

We are doing a POC lab here for an on-prem Cisco SD-WAN solution. vManage, vBond and vSmart are all on-prem. Using Enterprise CA certs.

Got a few new our of box ISR 4331 routers with IOS-XE SD-WAN image on them. Registered all device serials on Cisco's PnP portal, did a Smart Account Sync from vManage and all devices show up in the list.

The problem is that ISR's have Cisco Root CA generated certificates pre-installed on them. My vManage, vBond and vSmarts all have Enterprise certs used. I can see that ISR's are trying to register with vBond, but vManage shows them as offline. When I try to push templates to ISR's, it says that the device is offline. I suspect that this is a cert problem. vManage doesn't have Cisco Root CA installed. The whole idea of PnP is not to worry about pre-staring devices with certs and such. Do I need to do extra steps here with certs? Or this is something that is not supported right now?

tahiali · ‎01-09-2019

if i understand your questions correctly you need to do the following

Add enterprise root-CA chain of trust directly to the ISR so that it can authenticate the controllers signed with your Enterprise root CA. In normal case, when the controllers come in with a enterprise root ca signed cert to ISR or any other vedge , it will not be accepting it as it doesn't know about the signing authority. It knows about default root CA which is symantec, avnet, or cisco (for mix of devices).

To do this you can go to your pnp connection profile and add certificate chain of trust their by uploading your enterprise root CA cert. in this way when the vedge boots and hits the pnp server it will not only redirect it to your organization vbond but also give it the enterprise root ca chain of trust to it. so you can still do ZTP in this case. If you go manual route you can install enterprise root CA chain of trust in ISR mannual by scp etc.

View solution in original post

tahiali · ‎01-09-2019

if i understand your questions correctly you need to do the following

Add enterprise root-CA chain of trust directly to the ISR so that it can authenticate the controllers signed with your Enterprise root CA. In normal case, when the controllers come in with a enterprise root ca signed cert to ISR or any other vedge , it will not be accepting it as it doesn't know about the signing authority. It knows about default root CA which is symantec, avnet, or cisco (for mix of devices).

To do this you can go to your pnp connection profile and add certificate chain of trust their by uploading your enterprise root CA cert. in this way when the vedge boots and hits the pnp server it will not only redirect it to your organization vbond but also give it the enterprise root ca chain of trust to it. so you can still do ZTP in this case. If you go manual route you can install enterprise root CA chain of trust in ISR mannual by scp etc.

alxzed · ‎01-09-2019

I didn't see the option to install Enterprise root CA in the PnP connection profile before. This it cool and really useful. I added it and will be testing shortly. Thank you!

ekhabaro · ‎01-24-2019

Also there is an another option in the newer releases already appeared:
https://sdwan-docs.cisco.com/Product_Documentation/Getting_Started/Hardware_and_Software_Installation/On-Site_Bootstrap_Process_for_SD-WAN_Devices