Cisco Catalyst SD-WAN Certificate Management Guide, Releases 26.x and Later

PDF

Cisco Catalyst SD-WAN Certificate Management Guide, Releases 26.x and Later

Certificate revocation list-based quarantine

Want to summarize with AI?

Log in

Describes certificate revocation list (CRL)-based quarantine, a security mechanism that quarantines devices whose certificates have been revoked and are listed in a certificate revocation list, moving the devices to a staging mode.


Certificate revocation list (CRL)-based quarantine is a security mechanism that

  • quarantines devices whose certificates have been revoked and are listed in a certificate revocation list received from a certificate authority,

  • moves quarantined devices into a staging mode, and

  • generates notifications for quarantined devices to alert administrators.

How CRL-based quarantine works

When the CRL-based quarantine feature is enabled, SD-WAN Manager quarantines devices whose certificates are included in a periodically updated certificate revocation list (CRL), which it receives from a certificate authority (CA).

The feature is disabled by default.

  1. At a defined interval, SD-WAN Manager polls a CRL server for the latest CRL, which contains serial numbers of certificates.

    Note

    The CRL server connects to SD-WAN Manager through VPN 0 or VPN 512.

  2. If any serial numbers match the certificates of devices in the fabric, SD-WAN Manager proceeds to quarantine the devices.

  3. SD-WAN Manager moves the devices requiring quarantine to a staging mode. This mode shuts down data traffic on the device, but does not remove the certificate from the device. Keeping the certificate on the device allows it to continue its control connection to SD-WAN Manager.

  4. SD-WAN Manager generates notifications for the device being quarantined.


Restrictions for certificate revocation list-based quarantine

This is a list of restrictions for certificate revocation list (CRL)-based quarantine.

Enterprise certificate authority requirement

You can use the CRL-based quarantine feature only if you have an enterprise CA (certificate authority) to sign certificates for hardware WAN edge certificate authorization, controller certificate authorization, or WAN edge cloud certificate authorization.

CRL-based quarantine and certificate revocation

You cannot enable the certificate revocation and CRL-based quarantine option at the same time.

Disable the CRL to switch from certificate revocation to quarantine or quarantine to certificate revocation.