Cisco Catalyst SD-WAN Control Components and Device Management Guide, Releases 26.x and Later

PDF

Provision certificates on the reverse proxy

Updated: June 9, 2026

Want to summarize with AI?

Log in

Describes how to provision the certificates required for a reverse proxy and WAN edge devices to authenticate each other.

On the reverse proxy you must provision a certificate that is signed by the Certificate Authority (CA) that has signed the certificate of the Cisco SD-WAN Controllers. This certificate provisioned for reverse proxy is used to authenticate the WAN edge devices.

Procedure

1.

Generate a Certificate Signing Request (CSR) for the reverse proxy and have it signed by Cisco.

Run the following command on the reverse proxy:

Example:


            proxy$ 
            openssl req -new -days 365 -newkey rsa:2048 -nodes -keyout Proxy.key -out Proxy.csr

When prompted, enter values as suggested in the following table:

Table 1. CSR Prompt Fields and Example Values
Property Description
Country Name (2 letter code)

Any country code.

Example: US
State or Province Name

Any state or province.

Example: CA
Locality Name

Any locality.

Example: San Jose
Organization Name

Organization name used in the overlay.

Starting from Cisco Catalyst SD-WAN Manager Release 20.12.1 you cannot include a comma in the Organization Name field of the bootstrap configuration file.

Example: Cisco

Organizational Unit Name

Organization name unit used in the overlay.

Example: cisco-sdwan-12345
Common Name

Host name ending with cisco.com

Example: proxy.cisco.com
Email Address

Use any valid email address.

Example: someone@example.com
2.

If you use Cisco Public Key Infrastructure (PKI) as the CA for the Cisco SD-WAN Controllers, submit the CSR on the Cisco Network Plug and Play (PnP) application and retrieve the signed certificate.