I am actually stuck at this stage:

https://sdwan-docs.cisco.com/Product_Documentation/Getting_Started/Viptela_Overlay_Network_Bringup/03Deploy_the_vManage_NMS/05Generate_vManage_NMS_Certificate

I have installed a OVA image in my a lab VM environment, when i do generate CSR for vmanage it says:

Failed to get CSR signed

Unable to get response from signing server https://certmanager-webservices.websecurity.symantec.com/vswebservices/rest/services/enroll

even though from vmanage command line i can ping 8.8.8.8.

Sounds like you are building a lab, are you? In this case you should not use Digicert (ex-Symmantec) certificates. Digicert certificates should be used for production deployments. For lab you should use private certificates. You can use tools like tinyCA (Ubuntu) or XCA (Mac) to sign CSRs generated on controllers. The process is:

1. Generate CSR on controller

2. Sign CSR on the private CA

3. Install signed CSR back on controller

4. Install root-chain of your private CA on controller

You will need to repeat this for vBond, vSmart and vManage.

Hope this helps.

David

Thanks David, i downloaded XCA, generated CSR from Vmanage, imported the CSR in XCA, went to Certificates in XCA->New Certificate->Selected the imported CSR->selected "create a self signed certificate" but it gave error:

"The Key you selected for signing is not a private one"

where do i get this private key?

You need to create a working XCA setup before you import any CSRs... Please refer to some online documentation. XCA is just one tool, there are others as well.

XCA is pretty easy to use but it complains about private key. I just want to know where we create the CSR from VManage where does it store the private key?

PKI is a private/public key system. Private key is stored on vManage. Public key is used in the CSR that XCA will sign. You do not need vManage private key for XCA.

Hi,

I did get the CSR signed and got the certificate when i installed it on vmanage it gave this error:

"Error: root-ca-chain unable to validate the certificate...Aborting!"

Thanks,

Aamir

Great! Now before you try to install the signed CSR back into vManage, you need to load the root chain from your XCA into vManage. The root cert is exportable from XCA. You need this command to install root chain into vManage.

https://sdwan-docs.cisco.com/Product_Documentation/Command_Reference/Operational_Commands/request_root-cert-chain

Thanks David all is good now and Vmanage is up and has the certificate installed. Now i want to add Vbond and when i go to Vmanage->Controllers->Add Vbond, i put the management IP of vbond and it says:

The IP which i configured on VPN 512 in Vbond. From Vmanage i can ping that IP.

Hi David,

I am also trying to setup SD-WAN lab and afterward will start customer PoC.

I have setup control n with vManage, vBond, vSmart with self signed certificate through  vshell and viptela cli. I generated CSR from vEdge cloud VM and also signed from vManage like I did with vBond and vSmart.

I am using version 18.3.3 for all devices.

last step where I am stuck is to add vEdge cloud VM router into control plan. I not using Symantec or private CA but using vManag as self signed certificate.

plea let m now how could I add vEdge cloud?

if I use MS CA server then which certificate template I will use to sign certificate from CA.

Thanks,

Imran