cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

vManage web certificate (Cloud version)

markus.albisser
Beginner
Beginner

Hi all

 

We are setting up SD-WAN with vManage, vBond etc directly with Cisco in the Azure cloud. To access the webinterface now for vManage, we got the URL https://vmanage-company.sdwan.cisco.com. The web service by default has a self-signed web certificate active for the host "cisco.com". This access now results in a non-secure access within the browser, because the host name does not match and we don't have a valid chain with a root CA certificate which validates the certificate. This makes sense so far.

 

The question now is how do we go around this one. First we thought about two options:

 

1. Create a new official certificate (for example with Digicert). Either with the true hostname from the URL or then with this hostname as part of the SAN field. A chat with Digicert brought it up that it is not allowed to enroll certificates for which we are not the owner of the domain - in this case cisco.com.

 

2. Create a certificate within our internal CA. Also here, same topic, we cannot enroll a certificate for a domain which is not part of our environment. Futhermore, we cannot add the public key of our root CA certificate from our internal CA to the trusted root certification authorities. 

 

I am wondering what the solution is on this one. Why Cisco for example has not a wildcard certificate which would be valid for all the cloud customers (*.sdwan.cisco.com) or then provides host-based certificates which comes from a authorized public CA. I don't see how I can get around this, I cannot enroll a certificate by my own and continue with the self-signed is also not a true option (such a business-critical system should not result in a "not secure" browser statement).

 

Any thoughts and inputs are appreciated. Many thanks!

Markus

1 ACCEPTED SOLUTION

Accepted Solutions

Hi Markus,

 

The way I usually approach this is to create CNAME in customer's DNS that points to Cisco's A record. So something like vmanage.example.com pointing to vmanage-xxx.sdwan.cisco.com. Then generate a CSR under Administration -> Settings -> Web Certificate. Put the Common Name as vmanage.example.com and also put it in the SAN.

 

Hope that helps.


Best regards,

Daniel

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.

View solution in original post

9 REPLIES 9

Lei Tian
Cisco Employee
Cisco Employee

Hello Markus,

 

We have raised the concern before, currently cloudops team doesn’t have this on roadmap. I suggest you reach out to your Cisco account team if you have one, or open TAC case with cloudops team for this concern.

 

HTH,
Lei Tian

Hi Lei Tian

Thank you for your feedback. This tells me that this is a true issue we have, without a good workaround which can be implemented. Let's see if there are other customers/persons with a similar experience and feedback. I discussed it already with your Cisco partner, probably then I will open a TAC case to address it.

Thank you
Markus

Hello Markus,

 

The cloudops team currently doesn't provide sign web cert, but you might be able to use your own domain name for controller's FQDN and get signed. Open TAC case with cloudops team see what options do you have. 

 

HTH,

Lei Tian