This document describes how to generate and install a self-signed web certificate when the existing one is expired on an on-prem vManage. Cisco does not sign web certificates for such deployments, customers have to sign it by own Certificate Authority (CA) or some 3rd party CA.
vManage web certificate is going to expire or has already expired. Access to the Graphical User Interface (GUI) can be lost or you can see permanent alarm in GUI about certificate expired.
If you are not concerned about the security aspect of self-signed certificate usage and just want to avoid alarm message and possible problems with vManage GUI access due to expired certificate, then you can use this solution with self-signed web certificate on a vManage.
1. In the vManage GUI, navigate to Administration >Settings > Web Server Certificate > Certificate and then save this information somewhere about certificate subject, for example, Subject: CN=vmanage, OU=Cisco SDWAN, O=Cisco Systems, L=San Jose, ST=CA, C=US.
2. In the vManage GUI, navigate to Administration >Settings > Web Server Certificate > CSR and select Generate in order to generate a new Certificate Signing Request (CSR). Ensure you enter the values from the Subject that you captured on the previous step.
3. Copy newly generated CSR to the copy-paste buffer as shown in the image.
4. And then enter a vshell and paste buffer content with CSR into the file on the vManage with help of echo command.
6. With the help of openssl, generate a key for Root Certificate named rootca.key.
vmanage:~/web$ openssl genrsa -out rootca.key 2048
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
7. Generate Root CA certificate named rootca.pem and sign it with rootca.key that was generated on the previous step.
vmanage:~/web$ openssl req -x509 -new -nodes -key rootca.key -sha256 -days 4000 -out rootca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) :San Jose
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cisco Systems
Organizational Unit Name (eg, section) :Cisco SDWAN
Common Name (e.g. server FQDN or YOUR name) :vmanage
Email Address :
rootca.key rootca.pem web_cert.csr
8. Sign your CSR with Root CA certificate and key.
10. Import the certificate into the vManage. In order to do so, navigate to Administration >Settings > Web Server Certificate > Import and paste the content of your copy-paste buffer as shown in the image.
11. If you did everything right, vManage shows "Certificate Installed Successfully" as shown in the image.
12. Finally, check the result and ensure the certificate validity date updated successfully as shown in the image.