Cisco Catalyst SD-WAN Certificate Management Guide, Releases 26.x and Later

PDF

Use an enterprise certificate with SD-WAN Control Components

Want to summarize with AI?

Log in

Procedure for using an enterprise certificate with SD-WAN Control Components.


Procedure

1.

From the Cisco SD-WAN Manager menu, choose Administration > Settings.

2.

In the Controller Certificate Authorization area, select Edit.

3.

Select Enterprise Root Certificate. If a warning appears, select Proceed to continue.

4.

Optionally, select Set CSR Properties to configure certificate signing request (CSR) details manually.

Note

In a multitenant scenario, if you configure CSR properties manually and if you are using Cisco Catalyst SD-WAN Control Components Release 20.11.1 or later, then ensure that devices in the network are using Cisco IOS XE Catalyst SD-WAN Release 17.11.1a or later. In a single-tenant scenario, this is not required.

In a multitenant scenario, if you configure CSR properties manually, then when you are ready to generate a CSR for a tenant device, enter the tenant's organization name in the Secondary Organizational Unit field described below. In a multi-tenant scenario, if you are generating a CSR for a service provider device, this is not required.

The following properties appear:

  • Domain Name: Network domain name. Maximum 17 characters.

  • Organizational Unit

    Note

    Organizational Unit is a noneditable field. This field is auto-filled with the organization name that you have configured for Cisco SD-WAN Manager in Administration > Settings > Organization Name.

  • Secondary Organizational Unit: This optional field is only available in Cisco IOS XE Release 17.2 or Cisco SD-WAN Release 20.1.x and onwards. Note that if this optional field is specified, it will be applied to all controllers and edge devices.

  • Organization: Beginning with Cisco vManage Release 20.11.1, when configuring controller certificate authorization for enterprise certificates on WAN edge cloud devices, you can specify any organization in this field. You are not limited to names such as Viptela LLC, vIPtela Inc, or Cisco Systems. This enables you to use your organization’s certificate authority name or a third-party certificate authority name. The maximum length is 64 characters, and can include spaces and special characters. Cisco SD-WAN Manager validates the name when you enter it.

    From Cisco Catalyst SD-WAN Manager Release 20.12.1, the system Organization Name cannot contain a comma during the device configuration.

  • City

  • State

  • Email

  • 2-Letter Country Code

  • Subject Alternative Name (SAN) DNS Names: (optional) You can configure multiple host names to use the same SSL certificate. Example: cisco.com and cisco2.com

  • Subject Alternative Name (SAN) URIs: (optional) You can configure multiple uniform resource identifiers (URIs) to use the same SSL certificate. Example: cisco.com and support.cisco.com

5.

Paste an SSL certificate into the Certificate field or select Select a file and navigate to an SSL certificate file.

6.

(Optional) In the Subject Alternative Name (SAN) DNS Names field, you can enter multiple host names to use the same SSL certificate.

7.

(Optional) In the Subject Alternative Name (SAN) URIs field, you can enter multiple URIs to use the same SSL certificate.

Example: cisco.com and support.cisco.com

This is helpful for an organization that uses a single certificate for a host name, without using different subdomains for different parts of the organization.