Cisco Catalyst SD-WAN Certificate Management Guide, Releases 26.x and Later

PDF

Third-party certificate authority certificates for edge devices

Want to summarize with AI?

Log in

Describes the use of a third-party certificate authority for devices in a Cisco Catalyst SD-WAN fabric.


A third-party certificate authority (CA) used for devices in a Cisco Catalyst SD-WAN fabric is a trusted external entity that issues digital certificates to authenticate device identities and secure communications.

A third-party CA certificate is a digital certificate that

  • authenticates device identities for secure communications,

  • establishes and verifies secure connections between devices by validating server identities, and

  • requires more manual certificate signing and installation processes, unlike Cisco PKI certificates, which can be automated.

Initial setup

SD-WAN Manager permits uploading third party certificates to devices during their integration with the fabric. This is only available during the initial setup, when devices are installed and control connections are established.

Certificate upload

From Cisco IOS XE Catalyst SD-WAN Release 17.13.1a, SD-WAN Manager provides a method for uploading certificates, not requiring the use of CLI commands. It supports CA certificate uploads even after device setup.

Authenticating server identities

The CA certificates authenticate the server identities and prevent unauthorized access. Cisco IOS XE Catalyst SD-WAN devices use CA certificates to establish and manage secure connections with different servers in a network. When you upload a CA certificate to SD-WAN Manager, devices use the certificate information from the configuration group parcels to verify and authenticate the connections it establishes with servers across a network, improving the security and integrity of your network traffic.


Devices that support third-party certificates

Devices that support third-party certificates:

Cisco IOS XE Catalyst SD-WAN devices


Prerequisites for third-party certificate authority certificates

Prerequisites for uploading third-party CA certificates.

SD-WAN Manager release

SD-WAN Manager release: Cisco Catalyst SD-WAN Manager Release 20.13.1 and later

Device software release

Cisco IOS XE Catalyst SD-WAN device software release: Cisco IOS XE Catalyst SD-WAN Release 17.13.1a and later


Restrictions for third-party certificate authority certificates

List of restrictions for using third-party certificate authority certificates

PEM encoded certificate files.

Supports only PEM encoded certificate files.

Maximum certificate file size

Maximum certificate file size: 10 MB

Multitenancy

In a multitenancy environment, only a tenant can upload and manage CA certificates.

Note

When you log in into SD-WAN Manager as a provider, you can't upload or manage CA certificates.