Buy or Renew
Buy or Renew
Join the Catalyst Center Onboarding Ask Me Anything event happening now!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1376
Views
0
Helpful
1
Replies

Org Name and Serial number in the AvNET Certificate for hardware vEdges

Go to solution
muthumohan
Level 1
Level 1

‎06-13-2021 07:58 AM

I know that Cisco installs an identity certificate on hardware vEdge routers (in tamper proof module) by AvNET at the time of manufacturing it. I have a couple of questions about this:

 

1. Does this certificate include the Organization Name to which it will be shipped later on?

Why I am asking this is, when the controllers authenticate this vEdge, they will verify the organization name on vEdge's cert. So, I am guessing that Cisco includes the Organization Name in the AvNET certificate. Correct me if I am wrong.

 

2. Does the serial number of the certificate match the serial number of the router (on the box)?

As per the documentation, the verification happens based on 'certificate serial number' and not on actual serial number on the box. Or, are they same? Do they put the box's serial number in the certificate?

 

3. On the WAN Edge serial number list, does it contain the "certificate serial number" or the box's serial number?

 

Thank you,

Mohan

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kanan Huseynli
VIP
VIP

‎06-15-2021 01:55 PM

Hello ,


1) controllers don't verify org name of vEdges, but vEdges do for controllers (Btw, controllers check each order's org_name as well).

See "Authentication between Cisco vBond Orchestrator and a vEdge Router" section:


https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/cisco-sd-wan-overlay-network-bringup.html


2) For IOS XE devices there are 2 serial numbers that used before 17.3. One is "SUDI serial number", another is "Certificate Serial Number". You had to know both and to PNP portal (sometimes automatically SUDI &PID are added, but not cert number).

See "Procedure 3: Add WAN Edge devices to the portal" section :


https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/cisco-sd-wan-certificates-deploy-2020aug.pdf


Beginning 17.3 ,Cisco removes cert serial number requirement, so basically PID and SUDI serial are needed.

See "Remove Certificate SUDI requirement." section :


https://www.cisco.com/c/en/us/td/docs/routers/sdwan/release/notes/xe-17-3/sd-wan-rel-notes-xe-17-3.html


I don't believe they are the same (device SN and certificate SN). I'm not "guru" in PKI, but most probably SN for certificate is automatically generated.


3) Certificate list (basically white list for controllers) don't include hardware (box) SN. See answer 2.


Regards,

 

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Kanan Huseynli
VIP
VIP

‎06-15-2021 01:55 PM

Hello ,


1) controllers don't verify org name of vEdges, but vEdges do for controllers (Btw, controllers check each order's org_name as well).

See "Authentication between Cisco vBond Orchestrator and a vEdge Router" section:


https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/cisco-sd-wan-overlay-network-bringup.html


2) For IOS XE devices there are 2 serial numbers that used before 17.3. One is "SUDI serial number", another is "Certificate Serial Number". You had to know both and to PNP portal (sometimes automatically SUDI &PID are added, but not cert number).

See "Procedure 3: Add WAN Edge devices to the portal" section :


https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/cisco-sd-wan-certificates-deploy-2020aug.pdf


Beginning 17.3 ,Cisco removes cert serial number requirement, so basically PID and SUDI serial are needed.

See "Remove Certificate SUDI requirement." section :


https://www.cisco.com/c/en/us/td/docs/routers/sdwan/release/notes/xe-17-3/sd-wan-rel-notes-xe-17-3.html


I don't believe they are the same (device SN and certificate SN). I'm not "guru" in PKI, but most probably SN for certificate is automatically generated.


3) Certificate list (basically white list for controllers) don't include hardware (box) SN. See answer 2.


Regards,

 

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card