Enable SDWAN Controllers Certificate Renewal via Manual Method

Available Languages

Download Options

  • PDF     (877.2 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (670.0 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (606.2 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:June 24, 2026
Document ID:220426

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.


Introduction

This document describes the steps to renew the SD-WAN certificate on the controllers through Cisco or manually.

Available Methods

There are four different options available for the Controller Certificate Authorization.

  • Cisco (Recommended) - Semi-automated process that uses the Cisco Plug and Play (PnP) portal to sign the CSR generated by the vManage to automatically download and installs them.
  • Manual - Manual certificate sign through Cisco PnP.
  • Symantec - Manual third-party certificate sign through Symantec/Digicert.
  • Enterprise Root Certificate - Manual certificate sign through a private Root Certificate Authority (CA).

This document describes only the steps for the Cisco (Recommended) and Manual methods.

caution-icon

Caution: The certificates covered in this document are not related to the Web Certificate for vManage.

Requirements

  • A PC/Laptop.
  • A Netadmin account for the vManage GUI and for for each controller (vManage, vSmart, and vBond).
  • Access to the CA Server.
  • For Cisco (recommended) or Manual, a valid account/password for the PnP Portal.
  • For Cisco (recommended), the vManage must have internet access.
  • All the Controllers need a valid NTP server and/or all of them need to have the correct date and time.
  • Communication between the vBond and vSmart to the vManage.

note-icon

Note: The certificate install in the vManage would not impact your control plane or data plane. For the certificate in the vSmart, the control connections can be affected. The control plane continue to work due to the OMP graceful timer. To perform a certificate change, you must schedule a maintenance window for the activity.

Renewal Process 

This is a high-level procedure:

  1. Identify the Controller Certificate Authorization option in use on the vManage GUI.
  2. Generate a new CSR  through the vManage GUI.
  3. Create a new Certificate.
  4. Download the Certificate.
  5. Install the Certificate.


Cisco (Recommended)

  1. Navigate to vManage >  Administration  > Settings > Certificate Authority Server.
    • Verify the correct option is selected.
    • Select the duration of the certificate.

Administration Settings

2. Scroll down to Smart Account Credentials and introduce the valid User/Password. The credentials must have access to the Smart Account where the SD-WAN overlay is configured, as shown in the image.

Administration Settings - Smart Account Credentials

3. Navigate to vManage > Configuration > Certificates > Controllers.

        • Select the ellipsis (...) on the controller (vBond, vSmart or vManage).
        • Select Generate CSR.

Send to vBond

4. 5 - 20 minutes is required for the process to finish.

Verify the installation was correct in the GUI vManage > Configuration > Certificates > Controllers.

Send to vBond Controllers

Manual (PnP)

1. Navigate to vManage >  Administration  > Settings > Certificate Authority Server.

              • Verify the correct option is selected.

2. Navigate to vManage > Configuration > Certificates > Controllers.

              • Select the ellipsis (...) on the controller (vBond, vSmart or vManage).
              • Select Generate CSR.
              • Copy and save all text in a temporally file. 

3. Access the PnP portal, select your SD-WAN overlay, and navigate to certificates, as shown in the image.

PnP Certificates - Virtual Account

4. In the Certificates section, click Generate a new certificate and enter all information.

    • On Certificate Signing Request, enter the CSR generated on Step 2.

PnP Connect - Identify Certificate

5. Click Submit and Done

PnP Connect - Review and Submit

PnP Connect - Attempt to Generate Certificate

6. After a few minutes, the certificate is ready to download.

    • Download the certificate file.
    • Access the vManage GUI.
    • Select install certificate under vManage > Certificate > Controllers.
    • Select the certificate in the pop-up window.

Note If you cannot see or select the certificate, ensure you select the All files under the format option. If the format box is not visible, use a different web browser.

View All Files

Install Certificate

 7. The certificate is now installed.

Install Certificate Success Message

Common Problems

Time Mismatch

Cisco Cloud hosted controllers have a NTP server configured. If the NTP is not present due to a configuration change, the controllers can have different times and this can interfere with the certificate installation or CSR generation. Ensure the controllers have the same time. 

Cannot Establish Connection

The SD-WAN controllers must be reachable via the interface configured under VPN0. Verify there is Layer 3 and Layer 4 communication. You can check the logs of the controller via console for more details about the problem. 

Revision History

Revision Publish Date Comments
2.0
24-Jun-2026
Updated Introduction Section, grammar, spelling, spacing, alt text, sentence structure, and CCW alerts.
1.0
27-Apr-2023
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Eliel Garcia
    Technical Consulting Engineer
  • Edited by Ian Emanuel Estrada
    Technical Consulting Engineer

Was this Document Helpful?

FeedbackFeedback

Contact Cisco