Cisco Catalyst SD-WAN Certificate Management Guide, Releases 26.x and Later

PDF

Revoking certificates

Want to summarize with AI?

Log in

Procedure to revoke designated certificates from devices that are included in a certificate revocation list (CRL), which is obtained from a root certificate authority (CA).


An enterprise certificate is a secure authentication framework that:

  • allows organizations to use their own private certificate signing authority instead of public authorities, and

  • authenticates and establishes secure communication between SD-WAN devices within the fabric.

If you are using enterprise certificates with Cisco Catalyst SD-WAN, you can enable SD-WAN Manager to revoke designated certificates from devices, as needed. For example, you might need to revoke certificates if there has been a security issue at your site.

Note
The certificate revocation feature is disabled by default.

SD-WAN Manager revokes the certificates that are included in a certificate revocation list (CRL) that SD-WAN Manager obtains from a root certificate authority (CA).

When you enable certificate revocation and provide the URL of the CRL to SD-WAN Manager, SD-WAN Manager polls the root CA at a configured interval, retrieves the CRL, and pushes the CRL to Cisco IOS XE Catalyst SD-WAN devices, Cisco vEdge devices, SD-WAN Validators, and SD-WAN Controllers in the overlay network. Certificates that are included in the CRL are revoked from devices.

When certificates are revoked, they are marked as not valid. Device control connections remain up until the next control connection flap occurs, at which time device control connections are brought down. To bring a device control connection back up, reinstall a certificate on the device and onboard the device.

When SD-WAN Manager revokes certificates from devices, the devices are not removed from the overlay network, but they are prevented from communicating with other devices in the overlay network. A peer device rejects a connection attempt from a device whose certificate is in the CRL.