Cisco Catalyst SD-WAN Certificate Management Guide, Releases 26.x and Later

PDF

How SD-WAN Manager installs a certificate on an edge device

Want to summarize with AI?

Log in

Describes how SD-WAN Manager stages and tests new edge device certificates with the SD-WAN Validator before installation, completing the install only if the staged certificate successfully establishes a validated control connection.


Summary

In a Cisco Catalyst SD-WAN environment, edge devices use certificates for authorization when establishing control connections with SD-WAN Control Components. From SD-WAN Manager 20.18.1, when SD-WAN Manager installs a new certificate on a device, the device first tests the certificate in a staging step before proceeding with installing the certificate. During the staging step, the device verifies that it can successfully establish a control connection to the SD-WAN Validator, using the certificate. If the SD-WAN Validator cannot validate the certificate, it rejects the connection.

Workflow

  1. SD-WAN Manager stages a certificate on a WAN edge device.
  2. The device attempts to connect to the SD-WAN Validator, using the staged certificate for authorization. Staging and testing can take a minute or more.
    • If the certificate is valid and if the SD-WAN Validator recognizes the certificate, it accepts the control connection.
    • If the certificate is invalid or if the SD-WAN Validator does not recognize the certificate, it rejects the control connection.
  3. The edge device reports the staging result back to SD-WAN Manager: success or failure.
    • In case of success, SD-WAN Manager completes the installation of the certificate on the device.
    • In case of failure, SD-WAN Manager does not proceed to install the certificate, and adds a log entry indicating the failure.