Edge device certificate management

Edge device certificate management feature history

Table 1. Feature History

Feature Name

Release Information

Description

WAN edge device certificate management workflow

Cisco IOS XE Catalyst SD-WAN Release 17.18.1a

Cisco Catalyst SD-WAN Control Components Release 20.18.1

The WAN edge device certificate management workflow updates the authentication certificates for edge devices in the fabric. This is useful for updating certificates before they expire.

Edge device certificate management

Edge device certificate management feature history

Table 2. Feature History

Feature Name

Release Information

Description

WAN edge device certificate management workflow

Cisco IOS XE Catalyst SD-WAN Release 17.18.1a

Cisco Catalyst SD-WAN Control Components Release 20.18.1

The WAN edge device certificate management workflow updates the authentication certificates for edge devices in the fabric. This is useful for updating certificates before they expire.

WAN edge device certificate management workflow

The WAN Edges Certificate Management Workflow in Cisco SD-WAN Manager is a step-by-step interactive procedure (called a workflow) that updates the authentication certificates for edge devices in the network.

SD-WAN Manager uses authentication certificates on WAN edge devices to communicate with other network components in the fabric.

Certificates expire and require renewal. Use this SD-WAN Manager workflow to renew the certificates for edge devices.

Supported components for the edge device certificate management workflow

  • Cisco IOS XE Catalyst SD-WAN devices

  • Cisco vEdge devices

Supported solutions for the edge device certificate management workflow

The workflow applies to WAN edge devices in the SD-WAN or SD-Routing solutions.

Renew certificates using the edge device certificate management workflow

The WAN Edges Certificate Management workflow provides two methods:

  • Auto: For each selected WAN edge device, SD-WAN Manager generates a certificate signing request (CSR), sends the CSR to the certificate authority (CA) for signing, then installs the signed certificate on the device.

  • Manual: For each selected WAN edge device, SD-WAN Manager generates a certificate signing request (CSR) for you to download. Then you manually handle the certificate signing and re-upload the signed certificate. The workflow then installs the signed certificate on the device.

Before you begin

For the automatic certificate signing option in the workflow, two prerequisites apply. If these are not met, only a manual signing option is available in the workflow. The prerequisites are:

  • Smart Account and Virtual Account

    In Cisco Catalyst SD-WAN Manager Release 20.18.1 and earlier, enter Smart Account and Virtual Account details in Cisco SD-WAN Manager.

    1. From the Cisco SD-WAN Manager menu, choose Administration > Settings > Smart Account Credentials.

    2. Enter your Smart Account or Virtual Account credentials in the Username and Password fields.

  • Register Plug-and-Play

    From Cisco Catalyst SD-WAN Manager Release 20.18.2, service providers in a multitenant environment and tenant in a single-tenant environment must register the Plug-and-Play service.

  • Certificate signing by Cisco

    1. From the Cisco SD-WAN Manager menu, choose Administration > Settings > Certificate settings.

    2. Click WAN Edges for 20.18.x and above.

    3. Change Certificate Signing by to Cisco.

Procedure

Step 1

From the Cisco SD-WAN Manager menu, choose Workflows > Workflow Library.

Step 2

Launch the WAN Edges Certificate Management workflow.

Step 3

Choose Auto or Manual, select the desired WAN edge devices, and proceed according to the instructions in the workflow.

The workflow lists each WAN edge device, and the certificate information for each, including expiration date.

  • File formats

    If you use the Manual option, which requires you to complete the signing for each certificate manually, outside of SD-WAN Manager, add the signed certificates to a single archive file to upload at the required step. The workflow supports these file formats for upload:

    • zip

    • pem

    • crt

    • cer

    If you are renewing certificates for multiple devices simultaneously, we recommend using the zip format so that you can combine all certificates into a single zip file to upload.

  • Signed certificates

    If you use the Manual option, which requires you to complete the signing for each certificate manually, the archive file that you upload with the signed certificates must include a signed certificate for each selected device. If the uploaded file does not contain signed certificates for each, the workflow does not proceed.