Below is what I received from Cisco. This procedure works, but I had one device go offline and when doing a "show control connections-history", I'm getting the CRTVERFL Error (Fail to verify peer certificate). If you get that, you can follow the directions in this link (assuming you are able to get access) https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/214509-troubleshoot-control-connections.html#anc19
The link above did not resolve my issue however and I now have an open TAC case to get it resolved.
Please follow these steps for the certificate issuance/renewal:
NOTE: If the controllers are on-prem and don’t have access to Symantec website for any reason, skip step 1.
1. Check [a] whether your email address is configured, [b] certificate process is set to Symantec Automated at: Vmanage > Administration > Settings > Controller Certificate Authorization For automated certificate retrieval and installation, please set it to Symantec Automated. If the email address is not correct, please change it before the next step. This email address will be used as an identity for the CSRs and approved certificates in the next steps. You can skip the challenge phrase option.
2. Generate CSRs (Certificate Signing Requests) from the Vmanage screen for all the controllers. Vmanage > Configuration (gear icon) > Certificates > Controllers > Options (3 dots) > Generate CSR
3. Once you submit the CSR requests from Vmanage, if they do make it to the Symantec server, you should get an email confirmation at the address configured in step 1. If you didn’t receive them, there is some firewall or reachability issue between your controller and Symantec. If the controllers have internet access , verify that port 443 is open and ensure that the following endpoints used by the Digicert VICE API to enroll and retrieve the approved certificates are reachable : Enroll CSR: https://certmanager-webservices.websecurity.symantec.com/vswebservices/rest/services/enroll Pickup certificate: https://certmanager-webservices.websecurity.symantec.com/vswebservices/rest/services/pickup
4. If you see such an issue, you can copy the CSR from the Vmanage, and submit a request directly at Symantec at: https://certmanager.websecurity.symantec.com/mcelp/enroll/index?jur_hash=f422d7ceb508a24e32ea7de4f78d37f8 Instructions to submit request on Symantec Portal: a. Enter first name, last name, choose ‘Apache’ for server platform and upload the CSR file that was copied earlier. b. Be sure to enter a valid accessible email in the email field because this email is where the signed certificate will be sent to. c. Submit the CSR raw text entire dump including ‘Begin’ and ‘End’ lines needs to be pasted d. For Certificate Signature Algorithm, leave it selected as ‘SHA-256 with RSA and SHA-1 root - Recommended’ e. Leave server licenses and validity period as is to 1 yr f. Next, pick a challenge phrase and submit the request. This can be any challenge phrase of your choice. g. Then hit ‘Get Certificate’ under Subscriber Agreement.
If everything above was currently filled out, you will get a confirmation that the CSR has been submitted. 5. Once completed, please create a request via Cisco TAC Support case (Technology: SDWAN, Sub-Technology:SDWAN Cloud Infra) or inform the current case owner. Please provide the email address, controller type & Org name so that team can approve the CSRs.
For more information, please refer to this guide : https://sdwan-docs.cisco.com/Product_Documentation/vManage_How-Tos/Configuration/Configure_Certificate_Authorization_Settings_for_Controller_Devices
