cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
36362
Views
85
Helpful
49
Replies

Viptela Vmanage

xshant
Level 1
Level 1

I installed Vmanage on a virtual machine. On Vmanage i selected manual root certificate and generated certificate with "Generate CSR", it generated a .csr file, now i wanted to install this certificate for vManage and when uploading the certificate it gives me error saying "cannot decrypt serial number from the certificate".? Where do i get the serial number, its a VM? Is this the right way to do it, do i need to install this certificate for vManage?

49 Replies 49

hi , I also encountered this problem, "failed to add device, network is unreachable"

have you solved this problem?

I turns out I was using the wrong VPN.  You aren't supposed to use the Mgmt VPN 512 for mgmt. :)  It has to be VPN 0.

Did you allow sshd and netconf on vBond?

 

On vBond1:

vpn 0
  int ge0/0
    tunnel-interface
      allow-service sshd
      allow-service netconf
commit and-quit

Dear,
Please,
How did you solve it ?
As i stuck on this step, i can't install the certificate on the vManage manually.
i tried with open ssl and active directory but i couldn't solve it.
what did you use and what statistics you used ?
Thanks.

Well, actually we not "solve" the problem. We just realized what was the
cause of the problem in our case soon after the problem actually gone.
If You carefully follow the documentation for vEdge-cloud deployment all
should be fine but... Cisco never mentioned that for successful "ssl trust
relationship" the time should be in sync on both platform.
(Kinda basic but not everybody pay attention) So in our case problem gone
when the firewall settings for ntp was corrected. edge and vManage time
synced and certificate install process and edge registration start work as
expected.

this turned out to be my problem in activating the vedge-cloud as well. After configuring NTP, I was able to successfully add them to the network.

I am also facing the same problem, any solution?

hey hi 

 

I'm also trying facing the same issue and literally struggling to do it. To install certificate, I generated a CSR for vmanage. But, I not sure about the detailed steps from (how to sign that CSR ---  to Install the cert in Vmanage). Could you please help me in providing the step-by-step process how you 

 

get the CSR signed and got the certificate 

how you create and load the root chain from your XCA into vManage

which tool you used

Any online link you referred 

 

Which I studied from your 'Re: Viptela Vmanage' discussion. Please guide me in this. Your help will be appreciated. 

Hi this part was simple - I use WinSCP to copy root-chain certificate to
vManage
thrn using CLI i uninstall provided root-chain and clear the cert storage
after uninstall
then use request CLI command i ask to install root chain certifivate which
was copied using WinSCP

all next CSR i sign ahainst root CA using TinyCA linux utility

hey hi,

 

my concern is, how you create the root cert ??? Where it is located ? All I'm having now is the CSR which I generated from Vmanage. What are the next steps I need to follow with that CSR ? Please explain about this. 

Root cert is a file. You could store it anywhere You like.
To create Root Cert I use same TinyCA linux program which I use to sign CSR

thanks for the info. Can you suggest some other tools for windows ? root-cert needs to save as .pem file ??

Is this step 4 necessary? Install 'root chain' on the vManage controller?

 

It's not part of the steps:

https://sdwan-docs.cisco.com/Product_Documentation/vManage_How-Tos/Configuration/Generate_a_Certificate#Manually_Generate_a_Certificate

 

I'm receiving the same error when I try to install my private signed root certificate to vmanage, it gives the following message:

Failed to decrypt serial number from certificate

I have tried to import the root cert in two different formats (RAW and PKCS #7) but received the same error above

 

 

thanks

Ian

Hi David,
Please let know if Digicerts (of Symantec) if used from vManage to get automated signed certs for vBond and vSmart, will Symantec or Cisco charges additional money for the digicerts?

Hello alihusainl19,

vManage automates the process of provisioning DigiCert certificated onto the other controllers (vBonds and vSmart) and onto itself as well. It does that by requesting the controllers to generate certificate sign request (CSR), forwarding this request to DigiCert, retrieving the signed certificate (once approved by the Cisco CloudOps team) and finally installing it back into controllers. DigiCert does charge for signed certificates, however, Cisco includes that charge in the cost of DNA subscription licensing, so customers do not have to pay anything directly to DigiCert.

Please note the following:

1. If you leverage Cisco hosted cloud controllers, the entire process above is fully automated and you don’t have to do anything
2. If you leverage on-prem controllers, your Cisco SE will guide you through the process. It is essentially the same thing, but you will need to click a few things in vManage GUI to initiate it for each controller. Of course, you will need to stand-up the controllers VMs in your data centers as well ☺
3. If you leverage on-prem controllers, you can use your private PKI infrastructure, if you have it. Please refer to the documentation on sdwan-docs.cisco.com for more details on that option. It’s a little more complex to do and requires more understanding how PKI works, but we have many customers who had done it, so no big deal.

Hope this helps.
David
@DavidKlebanov

Twitter: @DavidKlebanov
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: