A Cisco SD-WAN public key infrastructure (PKI) certificate is a digital certificate that provides automated certificate management by linking certificates to a Smart Account and Virtual Account, and supports a variety of security protocols.
A Cisco SD-WAN public key infrastructure (PKI) certificate is a digital certificate that:
-
provides automated certificate management by linking certificates to a Smart Account and Virtual Account, and
-
supports a variety of security protocols such as IP Security (IPSec), secure shell (SSH), and secure socket layer (SSL).
PKI provides a scalable, secure mechanism for distributing, managing, and revoking encryption and identity information in a secured data network. Every entity (a person or a device) participating in the secured communicated is enrolled in the PKI in a process where the entity generates an Rivest, Shamir, and Adelman (RSA) key pair (one private key and one public key) and has their identity validated by a trusted entity also known as a CA or trustpoint.
Before Cisco Catalyst SD-WAN Manager Release 20.18.1, SD-WAN Manager-signed certificates were installed on the controller devices by default. From Cisco Catalyst SD-WAN Manager Release 20.18.1, Virtual routers use a Cisco PKI certificate by default. After you reset a WAN edge device, you have to install the certificates manually on the device. If you perform an upgrade, your certificate is retained.
When you upgrade to Cisco Catalyst SD-WAN Manager Release 20.18.1 or later, the SD-WAN Controllers continue to support a SD-WAN Manager-signed certificate if it is already enabled. However, when the certificates are renewed, the SD-WAN Controllers have a PKI certificate by default.
Comparison with other certificates
In contrast with Symantec/Digicert certificates, Cisco PKI certificates are linked to a Smart Account (SA) and Virtual Account (VA) in Plug and Play (PnP) and do not require manual approval using a portal like Digicert. Each VA has a limit of 100 certificates, meaning that each overlay has a limit of 100 certificates, and after the certificate signing request (CSR) is generated, the approval and installation happens automatically if the Cisco SD-WAN Manager settings are set correctly.
Devices supporting PKI certificates
These devices support using PKI certificates:
| Device |
Support |
|---|---|
| Cisco SD-WAN Manager |
Yes |
| Cisco Catalyst SD-WAN Validator |
Yes |
| Cisco Catalyst SD-WAN Controller |
Yes |
| Cisco vEdge devices |
Yes |
| Cisco IOS XE Catalyst SD-WAN devices |
Yes |