cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2091
Views
1
Helpful
5
Replies

SDWAN Certificate installation problem

John.lc
Level 1
Level 1

If we use CiscoOps' deployment option, and vmanage and smart accounts are already synced, do we still need to install certificates for controller or edge devices? If so, do virtual Edge devices need to be treated differently from physical Edge devices?

I think both the controller and the Edge device have Root certificate installed, because the Cisco root certificate was bundled into the software of IOS XE SD-WAN routers starting in the 17.2.2 version of code. It was also bundled consistently into the software of vEdge routers starting in the 18.4.6, 19.2.4, 20.1.2, and 20.3.2 and higher version of code. And they should be able to authenticate each other and establish a connection normally, right?

1 Accepted Solution

Accepted Solutions

Right. You need to install certificate (which includes, generating CSR, copying it, sending to CA admin, receiving certificate and installing certificate) only when you select "Enterprise CA" option.

Otherwise, for hardware on-board certificate exists (Cisco signed, and root is included in all OS images). For virtual devices vmanage based certificate is automatically installed (vmanage signed, and root is pushed by vmanage).

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

5 Replies 5

Hi,

all depend on how your settings look like. In settings of vManage there are 3 sections how certificate should be:

1) controller certificates: You may have either Cisco based (through smart account PNP page) or enterprise CA (only manual, requires installation of enterprise root CA on all devices). If Cisco based, then it is automatically done when you add controller and if you have sync with Cisco Smart Account.

2) hardware device certificates: all hardware devices (excep ASR1002) have its own on-board certificate. If your setting is " On Box Certificate(TPM/SUDI Certificate)", you don't need installation of any certificate, you already have it.

3) virtual device certificates: virtual devices don't have certificate. You need use chassis-id and token (as OTP) and connect virtual device to controllers, after that vManage automatically installs certificate on virtual devices. This is "Automated (vManage Signed)" option.

In all three types of devices, there is one more option : enterprise CA. In this case, you need generate CSR, send to CA admin, get certificate file and install. You also need root CA file to be installed in all routers and controllers.

Below is certificates section from SD-WAN CVD.

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#Certificates

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Hi Kanan,

Thx for your response. So if i have two ISR4000 and two C8kv, i don't need install certificate on them , they will work well when on board(sure, there is no other abnormal reason, just for certificate side)

As you provided info:

  • ISR4K: its own on-board certificate
  • Cat8kv: "Automated (vManage Signed)" option.

please tell me if i have some mistakes. many thx.

 

Right. You need to install certificate (which includes, generating CSR, copying it, sending to CA admin, receiving certificate and installing certificate) only when you select "Enterprise CA" option.

Otherwise, for hardware on-board certificate exists (Cisco signed, and root is included in all OS images). For virtual devices vmanage based certificate is automatically installed (vmanage signed, and root is pushed by vmanage).

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

got it, thx a lot!

Hi,

that is correct. By default it works, but if you want you can have enterprise CA option, then everything is manual.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Review Cisco Networking for a $25 gift card