Cisco Catalyst SD-WAN Certificate Management Guide, Releases 26.x and Later

PDF

Renew certificates using the Control Components Certificate Management workflow

Want to summarize with AI?

Log in

Procedure to renew certificates using the Control Components Certificate Management workflow.


The Control Components Certificate Management workflow provides two methods:

  • Auto: For each selected SD-WAN Control Component, SD-WAN Manager generates a certificate signing request (CSR), sends the CSR to the certificate authority (CA) for signing, then installs the signed certificate on the component.

    The Auto option is available if you have selected one of the Cisco PKI, EST, or SCEP options in Administration > Settings > Certificate settings.

  • Manual: For each selected SD-WAN Control Component, SD-WAN Manager generates a certificate signing request (CSR) for you to download. Then you manually handle the certificate signing and re-upload the signed certificate. The workflow then installs the signed certificate on the component.

Before you begin

For the automatic certificate signing option that occurs in the workflow, two prerequisites apply. Without these, only a manual signing option is available in the workflow. Here are the prerequisites:

  • Smart Account and Virtual Account

    In Cisco Catalyst SD-WAN Manager Release 20.18.1 and earlier, enter Smart Account and Virtual Account details in Cisco SD-WAN Manager.

    1. From the Cisco SD-WAN Manager menu, choose Administration > Settings > Smart Account Credentials.

    2. Enter your Smart Account or Virtual Account credentials in the Username and Password fields.

  • Registering Plug-and-Play

    From Cisco Catalyst SD-WAN Manager Release 20.18.2, service providers in a multitenant environment and tenant in a single-tenant environment must register the Plug-and-Play service.

  • Certificate signing by Cisco

    1. From the Cisco SD-WAN Manager menu, choose Administration > Settings > Certificate settings.

    2. Click Control Components.

    3. Change Certificate Signing by to Cisco.

Procedure

1.

Do one of these to launch the Control Components Certificate Management workflow:

  • Launch from the workflow library.

    1. From the Cisco SD-WAN Manager menu, choose Workflows > Workflow Library.

    2. Launch the Control Components Certificate Management workflow.

  • Launch from the Control Components page.

    1. From the Cisco SD-WAN Manager menu, choose Configuration > Devices > Control Components.

    2. Click Certificate management to launch the Control Components Certificate Management workflow.

2.

Choose Auto or Manual, select the desired SD-WAN Control Components, and proceed according to the instructions in the workflow.

For the Manual option:

  • File formats

    If you use the Manual option, which requires you to complete the signing for each certificate manually, outside of SD-WAN Manager, add the signed certificates to a single archive file to upload at the required step. The workflow supports these file formats for upload:

    • zip

    • pem

    • crt

    • cer

    If you are renewing certificates for multiple SD-WAN Control Components simultaneously, we recommend using the zip format so that you can combine all certificates into a single zip file to upload.

  • Signed certificates

    If you use the Manual option, which requires you to complete the signing for each certificate manually, the archive file that you upload with the signed certificates must include a signed certificate for each selected SD-WAN Control Component. If the uploaded file does not contain signed certificates for each, the workflow does not proceed.