Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
493
Views
0
Helpful
1
Replies

What is Root Certificate and ID_Certificate in Viptela SDWAN?

knaik99
Level 1
Level 1

‎08-29-2022 09:18 AM

What is Root Certificate and ID_Certificate in Viptela SDWAN?

0 Helpful
1 Reply 1

svemulap@cisco.com
Cisco Employee
Cisco Employee

‎08-29-2022 09:56 AM

hi knaik99 -

In Cisco SDWAN solution, authentication between devices involves validating identify via certificates.


Controller identity is provided by a Symantec/Digicert or Cisco-signed certificate, or alternatively, an Enterprise CA certificate. Each controller in the network must have a certificate signed and installed. In addition, the root certificate chain for the corresponding CA must also be installed for each controller before the controller certificates can be installed.

Additional root chains are installed in order to validate the device certificate of devices that do not use the same CA root. Some root certificate chains are pre-loaded or automatically installed, and others, like the Enterprise root CA, must be installed by an administrator


Identity for vEdge hardware routers is provided by a device certificate signed by Avnet, generated during the manufacturing process and burned into the Trusted Platform Module (TPM) chip. The Symantec/Digicert and Cisco root certificates are pre-loaded in software for trust for the controllers’ certificates. Additional root certificates may either be loaded manually, distributed automatically by vManage, or installed during the ZTP automatic provisioning process.


Identity for IOS XE SD-WAN hardware routers, with the exception of the ASR 1002-X, is provided by the Secure Unique Device Identifier (SUDI), which is an X.509v3 certificate associated with a key pair that is protected in hardware. The Symantec/Digicert and Cisco root certificates are pre-loaded in software for trust for the controllers’ certificates. Additional root certificates may either be loaded manually, distributed automatically by the vManage NMS, or installed during the Plug-and-Play (PnP) automatic provisioning process.


vEdge cloud routers, ISRv routers, CSR1000v routers, and Cisco ASR 1002-X routers do not have device certificates pre-installed. Each device uses a One Time Password (OTP)/Token that is generated by vManage and configured during device deployment for the purpose of a temporary identity. Once the device is temporarily authenticated, a permanent identity is provided by vManage, which can operate as a Certificate Authority (CA) to generate and install certificates for these devices.

HTH.


0 Helpful
Customers Also Viewed These Support Documents