Cisco Catalyst SD-WAN Certificate Management Guide, Releases 26.x and Later

PDF

Cisco Catalyst SD-WAN Certificate Management Guide, Releases 26.x and Later

Automated certificate management

Want to summarize with AI?

Log in

Describes the automated certificate management using EST and SCEP protocols for WAN edge devices.


Automated certificate management on Cisco SD-WAN Manager is a system that

  • uses protocols such as EST and SCEP to automate certificate enrollment and renewal for WAN edge devices

  • introduces enterprise certificate settings to unify certificate management across controller components, hardware WAN edges, and cloud WAN edges, and

  • requires manual intervention to initiate renewal processes when certificate expiry alarms are triggered.

Certificate management functionality

Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.18.1a and Cisco Catalyst SD-WAN Manager Release 20.18.1

In Cisco SD-WAN Manager automatic renewal of certificates using SCEP and EST configurations occurs only during the initial device onboarding or when migrating from a hardware SUDI certificate to an enterprise certificate. For subsequent renewals, manual intervention is required to initiate the process when a certificate expiry alarm is triggered in Cisco SD-WAN Manager. Once renewal is manually initiated, the system automatically manages the enrollment and installation of the new certificates. For more information, see Edge device certificate management .

Certificate management with Cisco SD-WAN Manager as a fabric client

Cisco SD-WAN Manager functions as a fabric client that:

  • supports SCEP and EST protocols to facilitate certificate enrollment and renewal for devices

  • enables independent certificate management on Cisco SD-WAN control components and WAN edge devices, and

  • enhances network security and operational flexibility.


Prerequisites for automated certificate management on CA servers

System requirements and reachability

  • Based on the chosen VPN (0 or 512), ensure that a route to the CA server is added, or that the CA server is reachable from the selected VPN.

  • Ensure that the minimum key size for certificates is 2048 bits or higher in CA servers.

Encryption algorithm requirements

For Cisco SD-WAN Controllers, to renew certificates by configuring SCEP, the CA server should support encryption algorithm higher than triple DES.

EST configurations

Configure EST enrollment settings to ensure proper certificate management.

  • Ensure that Cisco SD-WAN Manager enrolls through the EST URL and EST is enabled on the CA. Any certificate requested from Cisco SD-WAN Manager may include custom Common Name (CN) and Organizational Unit (OU) values. The CA should be configured not to override these custom values.

  • Configure a username and password for EST enrollment if configured on CA server.

  • When configuring EST, you must provide the hostname or IP address that matches the digital certificate of the server. Cisco SD-WAN Manager uses hostname verification in EST client.

SCEP configurations

Configure SCEP protocol settings on the CA server to support automated certificate enrollment.

  • Allow SCEP protocol on the CA server.

  • Configure a default SCEP alias if required.

  • Enable enrollment through SCEP.

  • Set a higher requests-per-minute limit on the CA server to accommodate anticipated enrollment volume.

  • Ensure the minimum key size for certificates is 2048 bits or higher.

  • Use an encryption algorithm stronger than triple DES.