04-28-2023 01:51 AM
If we use CiscoOps' deployment option, and vmanage and smart accounts are already synced, do we still need to install certificates for controller or edge devices? If so, do virtual Edge devices need to be treated differently from physical Edge devices?
I think both the controller and the Edge device have Root certificate installed, because the Cisco root certificate was bundled into the software of IOS XE SD-WAN routers starting in the 17.2.2 version of code. It was also bundled consistently into the software of vEdge routers starting in the 18.4.6, 19.2.4, 20.1.2, and 20.3.2 and higher version of code. And they should be able to authenticate each other and establish a connection normally, right?
Solved! Go to Solution.
04-30-2023 01:00 PM
Right. You need to install certificate (which includes, generating CSR, copying it, sending to CA admin, receiving certificate and installing certificate) only when you select "Enterprise CA" option.
Otherwise, for hardware on-board certificate exists (Cisco signed, and root is included in all OS images). For virtual devices vmanage based certificate is automatically installed (vmanage signed, and root is pushed by vmanage).
04-28-2023 03:06 AM
Hi,
all depend on how your settings look like. In settings of vManage there are 3 sections how certificate should be:
1) controller certificates: You may have either Cisco based (through smart account PNP page) or enterprise CA (only manual, requires installation of enterprise root CA on all devices). If Cisco based, then it is automatically done when you add controller and if you have sync with Cisco Smart Account.
2) hardware device certificates: all hardware devices (excep ASR1002) have its own on-board certificate. If your setting is " On Box Certificate(TPM/SUDI Certificate)", you don't need installation of any certificate, you already have it.
3) virtual device certificates: virtual devices don't have certificate. You need use chassis-id and token (as OTP) and connect virtual device to controllers, after that vManage automatically installs certificate on virtual devices. This is "Automated (vManage Signed)" option.
In all three types of devices, there is one more option : enterprise CA. In this case, you need generate CSR, send to CA admin, get certificate file and install. You also need root CA file to be installed in all routers and controllers.
Below is certificates section from SD-WAN CVD.
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#Certificates
04-30-2023 04:32 AM
Hi Kanan,
Thx for your response. So if i have two ISR4000 and two C8kv, i don't need install certificate on them , they will work well when on board(sure, there is no other abnormal reason, just for certificate side)
As you provided info:
please tell me if i have some mistakes. many thx.
04-30-2023 01:00 PM
Right. You need to install certificate (which includes, generating CSR, copying it, sending to CA admin, receiving certificate and installing certificate) only when you select "Enterprise CA" option.
Otherwise, for hardware on-board certificate exists (Cisco signed, and root is included in all OS images). For virtual devices vmanage based certificate is automatically installed (vmanage signed, and root is pushed by vmanage).
05-01-2023 05:48 PM
got it, thx a lot!
11-24-2023 01:08 AM
Hi,
that is correct. By default it works, but if you want you can have enterprise CA option, then everything is manual.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide