Edge device certificate management

Edge device certificate management feature history

Table 1. Feature History

Feature Name

Release Information

Description

WAN edge device certificate management workflow

Cisco IOS XE Catalyst SD-WAN Release 17.18.1a

Cisco Catalyst SD-WAN Control Components Release 20.18.1

The WAN edge device certificate management workflow updates the authentication certificates for edge devices in the fabric. This is useful for updating certificates before they expire.

Edge device certificate management

Edge device certificate management feature history

Table 2. Feature History

Feature Name

Release Information

Description

WAN edge device certificate management workflow

Cisco IOS XE Catalyst SD-WAN Release 17.18.1a

Cisco Catalyst SD-WAN Control Components Release 20.18.1

The WAN edge device certificate management workflow updates the authentication certificates for edge devices in the fabric. This is useful for updating certificates before they expire.

WAN edge device certificate management workflow

The WAN Edges Certificate Management Workflow in Cisco SD-WAN Manager is a step-by-step interactive procedure (called a workflow) that updates the authentication certificates for edge devices in the network.

SD-WAN Manager uses authentication certificates on WAN edge devices to communicate with other network components in the fabric.

Certificates expire and require renewal. Use this SD-WAN Manager workflow to renew the certificates for edge devices.

Supported components for the edge device certificate management workflow

  • Cisco IOS XE Catalyst SD-WAN devices

  • Cisco vEdge devices

Supported solutions for the edge device certificate management workflow

The workflow applies to WAN edge devices in the SD-WAN or SD-Routing solutions.

Prerequisites for the edge device certificate management workflow

For the automatic certificate signing option that occurs in the workflow, two prerequisites apply. Without these, only a manual signing option is available in the workflow. Here are the prerequisites:

  • Certificate signing by Cisco

    1. From the Cisco SD-WAN Manager menu, choose Administration > Settings > Certificate settings.

    2. Click WAN Edge Cloud.

    3. Change Certificate Signing by to Cisco.

  • Smart Account and Virtual Account

    Enter Smart Account and Virtual Account credentials.

    (Administration > Settings > Smart Account Credentials)

Renew certificates using the edge device certificate management workflow

The WAN Edges Certificate Management workflow provides two methods:

  • Auto: For each selected WAN edge device, SD-WAN Manager generates a certificate signing request (CSR), sends the CSR to the certificate authority (CA) for signing, then installs the signed certificate on the device.

  • Manual: For each selected WAN edge device, SD-WAN Manager generates a certificate signing request (CSR) for you to download. Then you manually handle the certificate signing and re-upload the signed certificate. The workflow then installs the signed certificate on the device.

Before you begin

See Prerequisites for the edge device certificate management workflow.

Procedure

Step 1

From the Cisco SD-WAN Manager menu, choose Workflows > Workflow Library.

Step 2

Launch the WAN Edges Certificate Management workflow.

Step 3

Choose Auto or Manual, select the desired WAN edge devices, and proceed according to the instructions in the workflow.

The workflow lists each WAN edge device, and the certificate information for each, including expiration date.

  • File formats

    If you use the Manual option, which requires you to complete the signing for each certificate manually, outside of SD-WAN Manager, add the signed certificates to a single archive file to upload at the required step. The workflow supports these file formats for upload:

    • zip

    • pem

    • crt

    • cer

    If you are renewing certificates for multiple devices simultaneously, we recommend using the zip format so that you can combine all certificates into a single zip file to upload.

  • Signed certificates

    If you use the Manual option, which requires you to complete the signing for each certificate manually, the archive file that you upload with the signed certificates must include a signed certificate for each selected device. If the uploaded file does not contain signed certificates for each, the workflow does not proceed.