Cisco Catalyst Center Administrator Guide, Release 3.2.x

Certificate authority

Updated: May 5, 2026

Want to summarize with AI?

On this page

Overview

Change the role of the certificate authority from root to subordinate
Provision a rollover subordinate CA certificate
Use an external SCEP broker
Switch back to an internal certificate authority
Export the Catalyst Center certificate authority
Reset CA certificate

Overview

A certificate authority (CA) is an entity that manages the certificates and keys that are used to establish and secure server-client connections.

A certificate authority (CA) is an entity that manages the certificates and keys that are used to establish and secure server-client connections. Catalyst Center provides a private (internal) Catalyst Center CA, which acts as the device CA. This Catalyst Center CA can either operate as a root CA or be configured as a subordinate CA, which cannot be reversed.

Change the role of the certificate authority from root to subordinate

The device CA, a private CA that is provided by Catalyst Center, manages the certificates and keys that are used to establish and secure server-client connections. To change the role of the device CA from a root CA to a subordinate CA, complete this procedure.

You can change the role of the private (internal) Catalyst Center CA from a root CA to a subordinate CA using the Certificate Authority window in the GUI. When making this change:

If you want to have Catalyst Center act as a subordinate CA, ensure that you have a root CA, for example, Microsoft CA, and agree to use its certificate.
As long as the subordinate CA is not fully configured, Catalyst Center continues to operate as an internal root CA.
Generate a Certificate Signing Request file for Catalyst Center and ensure it is manually signed by your external root CA, as described in this procedure.

Note

Catalyst Center continues to run as an internal root CA during this time period.
After the Certificate Signing Request is signed by the external root CA, this signed file must be imported back into Catalyst Center using the GUI (as described in this procedure).

After the import, Catalyst Center initializes itself as the subordinate CA and provides all the existing functionalities of a subordinate CA.
When you switch a CA's role from root to subordinate, the old CA is retired and the new subordinate CA's PKI chain takes over. The revocation list is published by a CA, and after the CA is retired, revocation is moot since trust cannot be established. If your organization's policy mandates that unused certificates are revoked first, you can revoke the certificate from the GUI's Device Certificates window before switching the CA's role from root to subordinate.

Device controllability (enabled by default) will automatically update the device with a new certificate chain, sourced from the subordinate CA. New telemetry connections would only authenticate with this new certificate chain, which aligns with the trusted subordinate CA on the authenticator side.
The subordinate CA certificate lifetime displayed in the GUI is read directly from the certificate and is not calculated using the system time. Therefore, if you install a certificate with a lifespan of 1 year today and look at it in the GUI the same time next year, the GUI will still show that the certificate has a 1-year lifetime.
The subordinate CA certificate must be in one of these formats: .pem, .crt, .cer, .der.
The subordinate CA does not interact with the higher CAs; therefore, it is not aware of revocation, if any, of the certificates at a higher level. Because of this, any information about certificate revocation is also not communicated from the subordinate CA to the network devices. Because the subordinate CA does not have this information, all the network devices use only the subordinate CA as the CRL Distribution Points (CDP) source.
Consider that if you use EAP-Transport Level Security (EAP-TLS) authentication for AP profiles in Plug and Play (PnP), you cannot use a subordinate CA. You can only use a root CA.

Before you begin

You must have a copy of the root CA certificate.

Procedure

	1.	From the main menu, choose System > Settings > Certificate Authority.
	2.	Under CA Management, review the existing root or subordinate CA certificate configuration information: CA mode, certificate issuer, issued to, and lifetime value of the current certificate.
	3.	To change from a root CA to a subordinate CA, click Enable SubCA Mode.
	4.	Review the warnings that display: For example, Changing from root CA to subordinate CA is a process that cannot be reversed. You must ensure that no network devices have been enrolled or issued a certificate in root CA mode. Revoke any devices enrolled in root CA mode before changing to subordinate CA. Network devices must come online only after the subordinate CA configuration process finishes.
	5.	Click OK to proceed.
	6.	Drag and drop your root CA certificate into the Import External Root CA Certificate Chain field and click Upload. The root CA certificate is uploaded into Catalyst Center and used to generate a Certificate Signing Request. After the upload process finishes, a `Certificate Uploaded Successfully` message is displayed.
	7.	Click Next. Catalyst Center generates and displays the Certificate Signing Request.
	8.	View the Catalyst Center-generated Certificate Signing Request in the GUI and do one of these actions: Click the Download link to download a local copy of the Certificate Signing Request file. You can then attach this Certificate Signing Request file to an email to send to your root CA. Click the Copy to the Clipboard link to copy the Certificate Signing Request file's content. You can then paste this Certificate Signing Request content to an email or include it as an attachment to an email and send it to your root CA.
	9.	Send the Certificate Signing Request file to your root CA. Your root CA will then return a subordinate CA file, which you must import back into Catalyst Center.
	10.	After receiving the subordinate CA file from your root CA, access the Catalyst Center GUI again and return to the Certificate Authority window.
	11.	Click the CA Management tab.
	12.	Click Yes for the Change CA mode button. After clicking Yes, the GUI view with the Certificate Signing Request display.
	13.	Click Next. The Certificate Authority window displays the Import SubCA Certificate field.
	14.	Drag and drop your subordinate CA certificate into the Import SubCA Certificate field and click Save. The subordinate CA certificate is uploaded into Catalyst Center. After the upload finishes, the GUI displays the subordinate CA mode under the CA Management tab.
	15.	Review the fields under the CA Management tab: Sub CA Certificate: Displays the current subordinate CA certificate. External Root CA Certificate: Displays the root CA certificate. Sub CA Certificate Lifetime: Displays the lifetime value of the subordinate CA certificate. Current CA Mode: Displays SubCA mode.

Provision a rollover subordinate CA certificate

Catalyst Center lets you save a subordinate certificate as a rollover subordinate CA when 70 percent of the existing subordinate CA lifetime has elapsed.

Before you begin

To initiate subordinate CA rollover provisioning, you must have changed the certificate authority role to subordinate CA mode. Refer to Change the role of the certificate authority from root to subordinate.
70 percent or more of the lifetime of the current subordinate CA certificate must have expired. When this occurs, Catalyst Center displays a Renew button under the CA Management tab.
You must have a signed copy of the rollover subordinate CA certificate.

Procedure

	1.	From the main menu, choose System > Settings > Certificates > Certificate Authority.
	2.	In the CA Management tab, review the CA certificate configuration information: Subordinate CA Certificate: Displays the current subordinate CA certificate. External Root CA Certificate: Displays the root CA certificate. Subordinate CA Certificate Lifetime: Displays the lifetime value of the current subordinate CA certificate. Current CA Mode: Displays SubCA mode.
	3.	Click Renew. Catalyst Center uses the existing subordinate CA to generate and display the rollover subordinate CA Certificate Signing Request.
	4.	View the generated Certificate Signing Request in the GUI and do one of these actions: Click the Download link to download a local copy of the Certificate Signing Request file. You can then attach this Certificate Signing Request file to an email to send it to your root CA. Click the Copy to the Clipboard link to copy the content of the Certificate Signing Request file. You can then paste this Certificate Signing Request content to an email or include it as an attachment to an email and send it to your root CA.
	5.	Send the Certificate Signing Request file to your root CA. Your root CA will then return a rollover subordinate CA file that you must import back into Catalyst Center. The Certificate Signing Request for the subordinate CA rollover must be signed by the same root CA who signed the subordinate CA you imported when you switched from RootCA mode to SubCA mode.
	6.	After receiving the rollover subordinate CA file from your root CA, return to the Certificate Authority window.
	7.	Click the CA Management tab.
	8.	Click Next in the GUI in which the Certificate Signing Request displays. The Certificate Authority window displays the Import Sub CA Certificate field.
	9.	Drag and drop your subordinate rollover CA certificate into the Import Sub CA Certificate field and click Save. The rollover subordinate CA certificate is uploaded into Catalyst Center. After the upload finishes, the GUI changes to disable the Renew button under the CA Management tab.

Use an external SCEP broker

Catalyst Center uses the Simple Certificate Enrollment Protocol (SCEP) for enrollment and the provisioning of certificates to network devices. You can use your own SCEP broker and certificate service, or you can use an external SCEP broker. To set up an external SCEP broker, complete this procedure:

Note

For more information regarding SCEP, see Simple Certificate Enrollment Protocol Overview.

Procedure

	1.	From the main menu, choose System > Settings > Certificates > Certificate Authority.
	2.	In the Certificate Authority window, click the Use external SCEP broker radio button.
	3.	Use one of these options to upload an external certificate: Choose a file Drag and drop to upload Note Only file types such as .pem, .crt, and .cer are accepted. The file size cannot exceed 1 MB.
	4.	Click Upload.
	5.	By default, Manages Device Trustpoint is enabled, meaning Catalyst Center configures the sdn-network-infra-iwan trustpoint on the device. You must complete these steps: Enter the enrollment URL where the device requests the certificate via SCEP. (Optional) Enter any optional subject fields used by the certificate, such as country, locality, state, organization, and organization unit. The common name (CN) is automatically configured by Catalyst Center with the device platform ID and device serial number. In the Revocation Check field, click the drop-down list and choose the appropriate revocation check option. (Optional) Check the Auto Renew check box and enter an auto enrollment percentage. If Manages Device Trustpoint is disabled, for devices to send wired and wireless Assurance telemetry to Catalyst Center, you must manually configure the sdn-network-infra-iwan trustpoint on the device and then import a certificate. See Configure the Device Certificate Trustpoint.
	6.	Click Save. The external CA certificate is uploaded. If you want to replace the uploaded external certificate, click Replace Certificate and enter the required details.

Switch back to an internal certificate authority

After uploading an external certificate, to switch back to the internal certificate:

Procedure

	1.	From the main menu, choose System > Settings > Certificates > Certificate Authority.
	2.	In the Certificate Authority window, click the Use Catalyst Center radio button.
	3.	In the Switching back to Internal Certificate Authority alert, click Apply. The Settings have been updated message appears. For more information, see Change the role of the certificate authority from root to subordinate.

Export the Catalyst Center certificate authority

Catalyst Center allows you to download the device certificates that are required to set up an external entity such as an AAA server or a Cisco ISE server to authenticate the devices.

Procedure

	1.	From the main menu, choose System > Settings > Certificates > Certificate Authority.
	2.	Click Download to export the device CA and add it as the trusted CA on the external entities.

Reset CA certificate

Use the reset CA feature to manage CA during renewal issues or expiration. You can create sub CAs with a defined lifetime. This feature allows you to reset the CA easily when a sub CA expires or when you want to switch to another sub CA.

Procedure

	1.	From the main menu, choose System > Settings > Certificates > Certificate Authority.
	2.	In the CA table, locate the request that you want to reset. Under Action, hover your cursor over the vertical ellipsis () and click Reset to Default.
	3.	Click Yes in the Warning message. Resetting the certificate to RootCA may take up to five minutes. Refresh the CA page after a few minutes to see the updated status.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.