Cisco Catalyst SD-WAN Certificate Management Guide, Releases 26.x and Later

PDF

Cisco Catalyst SD-WAN Certificate Management Guide, Releases 26.x and Later

Configure certificate revocation list-based quarantine

Want to summarize with AI?

Log in

Procedure to quarantine devices based on a certificate revocation list.


By default, the certificate revocation list (CRL)-based quarantine feature is disabled.

Before you begin

  • From the Cisco SD-WAN Manager menu, choose Administration > Settings. Select an option and choose enterprise mode to enable the CRL (certificate revocation list).

    • In the Controller Certificate Authorization field, choose Enterprise Root Certificate, or

    • In the Hardware WAN Edge Certificate Authorization field, choose Enterprise Certificate (signed by Enterprise CA), or

    • In the WAN Edge Cloud Certificate Authorization field, choose Manual (Enterprise CA - recommended).

  • Make a note of the URL of the CA CRL.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Administration > Settings.

2.

On the Administration Settings page, select Edit near Certificate Revocation List.

3.

Select CRL-Based Quarantine.

4.

In the CRL Server URL field, enter the URL of the CRL that you created on your secure server.

5.

In the Retrieval Interval field, enter the interval, in hours, for retrieving the CRL.

Possible values: 1 to 24

Default: 24 hours

6.

Select VPN 0 or VPN 512. SD-WAN Manager connects to a server to retrieve the CRL through the VPN 0 or VPN 512 interface.

7.

Select Save.

At the configured interval, SD-WAN Manager polls the CRL server for the latest CRL. It uses this list to determine whether to quarantine devices.

Note
If the CRL is disabled in earlier releases, the CRL remains disabled after upgrading to the Cisco vManage Release 20.11.1. If the CRL was enabled in a release prior to Cisco vManage Release 20.11.1, then after upgrading to Cisco vManage Release 20.11.1, the certificate revocation option is enabled with VPN0 as the default.