Cisco Catalyst SD-WAN Certificate Management Guide, Releases 26.x and Later

PDF

Configure enterprise certificates

Want to summarize with AI?

Log in

Procedure for configuring enterprise certificates.


Procedure

1.

From the Cisco SD-WAN Manager menu, choose Administration > Settings > Hardware WAN Edge Certificate Authorization.

2.

Select Enterprise Certificate (signed by Enterprise CA).

On Box Certificate (TPM/SUDI Certificate) is the default option.

3.

If you want to specify custom certificate properties, select Set CSR Properties and configure the following properties.

Property

Description

Domain Name

Network domain name.

Do not exceed 17 characters.

Organizational Unit

This is a noneditable field. The organization unit must be the same as the organization name used in Cisco SD-WAN Manager.

Note

For devices using Cisco IOS XE Catalyst SD-WAN Release 17.9.3a or later releases of Cisco IOS XE Release 17.9.x, or Cisco IOS XE Catalyst SD-WAN Release 17.12.1a or later, the certificates that you install on the devices do not require the Organizational Unit field to be defined. However, if a signed certificate includes the Organizational Unit field, the field must match the organization name configured on the device. This addresses the policy of the Certification Authority Browser Forum (CA/Browser Forum), as of September 2022, to stop including an organizational unit in signed certificates. Despite the change in policy of the CA/Browser Forum, some certificate authorities might still include an organizational unit in the signed certificate.

Secondary Organization Unit

This optional field is available from Cisco IOS XE Release 17.2 or Cisco SD-WAN Release 20.1.x. If this optional field is specified, it will be applied to all SD-WAN Control Components and edge devices.

Note

If a signed certificate includes the Organizational Unit field or the Secondary Organizational Unit field, one of these fields must match the organization name configured on the device. This addresses the policy of the Certification Authority Browser Forum (CA/Browser Forum), as of September 2022, to stop including an organizational unit in signed certificates. Despite the change in policy of the CA/Browser Forum, some certificate authorities might still include an organizational unit in the signed certificate.

Organization

Organization name.

City

City name.

State

State name.

Email

Email address.

2-Letter Country Code

Country code.

Subject Alternative Name (SAN) DNS Names

Optionally, you can configure multiple host names to use the same SSL certificate.

Example: cisco.com and cisco2.com

Subject Alternative Name (SAN) URIs

Optionally, you can configure multiple uniform resource identifiers (URIs) to use the same SSL certificate.

Example: cisco.com and support.cisco.com

4.

Choose Select a file to upload a root certificate authority file.

The uploaded root certificate authority is shown in the text box.

5.

Select Save.

6.

From the Cisco SD-WAN Manager menu, choose Configuration > Devices.

7.

Select the Upload WAN Edge List tab.

8.

Browse to the location of the devices list and select Upload.

9.

On the Configuration > Certificates page, select ... and choose an action:

Action

Description

View Enterprise CSR (certificate signing request)

Copy the CSR and sign it using the enterprise root certificate, and upload the signed certificate on SD-WAN Manager using the install certificate operation. SD-WAN Manager automatically discovers on which hardware edge the certificate needs to be installed on.

View Enterprise Certificate

After the certificate is installed, you can see the installed certificate and download it.

Renew Enterprise CSR

If you need to install a new certificate on the hardware device, you can use the Renew Enterprise CSR option. The Renew Enterprise CSR option generates the CSR. You can then view the certificate (View Enterprise CSR option) and install the certificate (Install Certificate option). This step flaps the control connections as a new serial number. You can see the new serial number and expiration data on the Configuration > Certificates page.

Note

The certificates that you install on devices in the Cisco Catalyst SD-WAN fabric do not require the Organizational Unit field to be defined. However, if a signed certificate includes the Organizational Unit field, the field must match the organization name configured on the device.

Revoke Enterprise Certificate

Removes the enterprise certificate from the device and moves it back to prestaging. The device has only SD-WAN Validator and SD-WAN Manager controls up.

For a WAN edge device, select ... and choose an action:

Action

Description

View Feature CSR
  • Copy the CSR available from the device.

  • Sign the certificate using the enterprise root certificate from a certifying authority.

  • Upload the signed certificate on SD-WAN Manager using the Install Feature Certificate operation.

    SD-WAN Manager automatically discovers on which hardware edge the certificate needs to be installed. After you install feature certificate, the option View Feature Certificate is available.

View Feature Certificate

After you install the feature certificate, you can view the feature certificate and download it.

Revoke Feature Certificate

Removes the feature certificate or trustpoint information from the WAN edge device. After revoking a certificate, all actions against devices are not available. To view all actions for a device, ensure that you configure logging information of the device to a Transport Layer Security (TLS) profile with authentication type as server, and then configure back to mutual. Alternatively, to view the actions, reset the device to factory default configuration.

To reset a device to factory default:

  • From the Cisco SD-WAN Manager menu, choose Configuration > Templates.

  • Create a device template with the factory-default template.

    The factory-default template is, Factory_Default_feature-name_Template. See Create a Device Template from Feature Templates for information about creating a device template with feature template.

10.

Select Install Certificate or Install Feature Certificate to upload the signed certificate.

The certificate must be a signed certificate. Initially, the state is CSR Generated.

The state changes to Certificate Installed when successfully installed.

11.

From the Cisco SD-WAN Manager menu, choose Configuration > Certificates. You can see enterprise certificate columns, including the device type, chassis-id, enterprise serial number, and enterprise certificate date.