Cisco Catalyst SD-WAN Certificate Management Guide, Releases 26.x and Later

PDF

Enterprise certificates

Want to summarize with AI?

Log in

Describes enterprise certificate support in Cisco Catalyst SD-WAN.


An enterprise certificate is a digital certificate that

  • allows organizations to use their own private certificate signing authority instead of relying on public certificate authorities,

  • authenticates the identity of Cisco Catalyst SD-WAN components such as SD-WAN Controllers and edge devices, and

  • enables secure sessions between authenticated devices within the overlay network.

About enterprise certificate support

Enterprise certificates allow organizations to use their own private certificate signing authority rather than having to rely on public certificate signing authorities.

Enterprise certificate support was introduced in Cisco IOS XE SD-WAN Release 16.11.1 and Cisco SD-WAN Release 19.1, replacing the previous controller certificate authorization method. Enterprise certificates support features such as custom certificate properties and RSA key lengths from 2048 to 4096 bits. They are supported on Cisco SD-WAN Manager, Validator, Controller, and most hardware WAN edge routers.

Certificates and authorized serial number files must be installed on SD-WAN Control Components to validate and authenticate the overlay network components, ensuring operational security.

For more information about enterprise certificates, see the ​Cisco Catalyst SD-WAN Controller Certificates and Authorized Serial Number File Prescriptive Deployment Guide.

Setup

The goal of setting up certificates in the fabric is to install signed certificates on the SD-WAN Control Components and edge devices in the fabric. This allows the network components in the fabric to validate and authenticate each other, which allows them to establish secure connections between each other. This enables the fabric to become operational.


Device support for enterprise certificates

Lists devices that support enterprise certificates.

Device

Enterprise Certificate Support

Cisco SD-WAN Manager

Yes

Cisco SD-WAN Validator

Yes

Cisco SD-WAN Controller

Yes

Edge routers

All hardware WAN edge routers

vEdge/IOS-XE-SD-WAN except ASR1002-X, ISRv, CSR1000v


Restrictions for enterprise certificates

Restrictions for enterprise certificate support.

Certificate encodings

Cisco SD-WAN Manager supports only Base 64 encoded certificates. Other formats, such as DER, encoded are not supported.

RSA key length

When using enterprise certificates for Cisco SD-WAN Controllers, ensure that you use root certificates with an RSA key that is at least 2048 bits.

From Cisco Catalyst SD-WAN Control Components Release 20.16.1 and Cisco Catalyst SD-WAN Control Components Release 20.15.2, Cisco SD-WAN Control Components support RSA key sizes ranging from 2048 to 4096 bits.

Device reset and upgrade

Resetting a WAN edge device removes the enterprise root certificate. After the reset, you have to re-install the certificate.

Upgrading a WAN edge device does not affect the enterprise root certificate.

Dependency on OU fields in enterprise certificates

From Cisco Catalyst SD-WAN Control Components Release 20.12.1, when onboarding a device, Cisco Catalyst SD-WAN does not require that the associated enterprise certificate have any OU fields defined. However, if at least one OU field is defined, then Cisco Catalyst SD-WAN requires that one of the OU fields match the organization name of the fabric.

From Cisco Catalyst SD-WAN Control Components Release 20.12.2, and Cisco Catalyst SD-WAN Control Components Release 20.13.1 and later, when onboarding a device, if the associated enterprise certificate has one or more OU fields defined, the OU fields need not match the organization name of the fabric.

Downgrade restriction

If you are using enterprise certificates that use 4096-bit RSA keys, before downgrading Cisco SD-WAN Control Components to a release earlier than Cisco Catalyst SD-WAN Control Components Release 20.16.1Cisco Catalyst SD-WAN Control Components Release 20.15.2, change the enterprise certificates to use 2048-bit RSA keys.