Cisco SD-WAN Getting Started Guide

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco SD-WAN Getting Started Guide

Chapter Title

Certificate Management

Results

Updated:
June 5, 2023

Chapter: Certificate Management

Certificate Management

Manage Certificates in Cisco vManage

Perform certificate operations in Cisco vManage on the Configuration > Certificates page.

  • Top bar—On the left are the menu icon, for expanding and collapsing the Cisco vManage menu, and the vManage product name. On the right are a number of icons and the user profile drop-down.

  • Title bar—Includes the title of the screen, Certificates.

  • WAN Edge List tab—Install the router authorized serial number file on the controllers in the overlay network and manage the serial numbers in the file. When you first open the Certificates screen, the WAN Edge List tab is selected.

    • Send to Controllers—Send the WAN edge router chassis and serial numbers to the controllers in the network.

    • Table of WAN edge routers in the overlay network—To re-arrange the columns, drag the column title to the desired position.

  • Controllers tab—Install certificates and download the device serial numbers to the vBond orchestrator.

    • Send to vBond—Send the controller serial numbers to the Cisco vBond Orchestrator.

    • Install Certificate—Install the signed certificates on the controller devices. This button is available only if you select Manual in Administration > Settings > Certificate Signing by Symantec.

    • Export Root Certificate—Display a copy of the root certificate for the controller devices that you can download to a file.

    • Table of controller devices in the overlay network—To re-arrange the columns, drag the column title to the desired position.

    • Certificate status bar—Located at the bottom of the screen, this bar is available only if you select Server Automated in Administration > Settings > Certificate Authorization. It displays the states of the certificate installation process:

      • Device Added

      • Generate CSR

      • Waiting for Certificate

      • Send to Controllers

    A green check mark indicates that the step has been completed. A grey check mark indicates that the step has not yet been performed.

  • Search box—Includes the Search Options drop-down, for a Contains or Match string.

  • Refresh icon—Click to refresh data in the device table with the most current data.

  • Export icon—Click to download all data to a file, in CSV format.

  • Show Table Fields icon—Click the icon to display or hide columns from the device table. By default, all columns are displayed.

Check the WAN Edge Router Certificate Status

In the WAN Edge List tab, check the Validate column. The status can be one of the following:

  • Valid (shown in green)—The router's certificate is valid.

  • Staging (shown in yellow)—The router is in the staging state.

  • Invalid (shown in red)—The router's certificate is not valid.

Validate a WAN Edge Router

When you add Cisco vEdge devices and WAN routers to the network using the Configuration > Devices screen, you can automatically validate the routers and send their chassis and serial numbers to the controller devices by clicking the checkbox Validate the uploaded WAN Edge List and send to controllers. If you do not select this option, you must individually validate each router and send their chassis and serial numbers to the controller devices. To do so:

  1. In the WAN Edge List tab, select the router to validate.

  2. In the Validate column, click Valid.

  3. Click OK to confirm the move to the valid state.

  4. Repeat the steps above for each router you wish to validate.

  5. Click the Send to Controllers button in the upper left corner of the screen to send the chassis and serial numbers of the validated routers to the controller devices in the network. Cisco vManage NMS displays the Push WAN Edge List screen showing the status of the push operation.

Stage a WAN Edge Router

When you initially bring up and configure a WAN Edge router, you can place it in staging state using the Cisco vManage instance. When the router is in this state, you can configure the router, and you can test that the router is able to establish operational connections with the vSmart controller and the vManage instance.

After you physically place the router at its production site, you change the router's state from staging to valid. It is only at this point that the router joins the actual production network. To stage a router:

  1. In the WAN Edge List tab, select the router to stage.

  2. In the Validate column, click Staging.

  3. Click OK to confirm the move to the staging state.

  4. Click Send to Controllers in the upper left corner of the screen to sync the WAN edge authorized serial number file with the controllers. vManage NMS displays the Push WAN Edge List screen showing the status of the push operation.

  5. To unstage, validate the WAN Edge Router.

Invalidate a WAN Edge Router

  1. In the WAN Edge List tab, select the router to invalidate.

  2. In the Validate column, click Invalid.

  3. Click OK to confirm the move to the invalid state.

  4. Repeat the steps above for each router you wish to invalidate.

  5. Click the Send to Controllers button in the upper left corner of the screen to send the chassis and serial numbers of the validated routers to the controller devices in the network. Cisco vManage instance displays the Push WAN Edge List screen showing the status of the push operation.

Send the Controller Serial Numbers to Cisco vBond Orchestrator

To determine which controllers in the overlay network are valid, the Cisco vBond Orchestrator keeps a list of the controller serial numbers. The Cisco vManage instance learns these serial numbers during the certificate-generation process.

To send the controller serial numbers to the Cisco vBond Orchestrator:

  1. In the Controllers tab, check the certificate status bar at the bottom of the screen. If the Send to Controllers check mark is green, all serial numbers have already been sent to the Cisco vBond Orchestrator. If it is grey, you can send one or more serial numbers to the Cisco vBond Orchestrator.

  2. Click the Send to vBond button in the Controllers tab. A controller's serial number is sent only once to the Cisco vBond Orchestrator. If all serial numbers have been sent, when you click Send to vBond, an error message is displayed. To resend a controller's serial number, you must first select the device and then select Invalid in the Validity column.

After the serial numbers have been sent, click the Tasks icon in the Cisco vManage toolbar to display a log of the file download and other recent activities.

Install Signed Certificate

If in Administration > Settings > Certificate Signing by Symantec, you selected the Manual option for the certificate-generation process, use the Install Certificate button to manually install certificates on the controller devices.

After Symantec or your enterprise root CA has signed the certificates, they return the files containing the individual signed certificates. Place them on a server in your local network. Then install them on each controller:

  1. In the Controllers tab, click Install Certificate.

  2. In the Install Certificate window, select a file, or copy and paste the certificate text.

  3. Click Install to install the certificate on the device. The certificate contains information that identifies the controller, so you do not need to select the device on which to install the certificate.

  4. Repeat Steps the steps above to install additional certificates.

Export Root Certificate

  1. In the Controllers tab, click the Export Root Certificate button.

  2. In the Export Root Certificate window, click Download to export the root certificate to a file.

  3. Click Close.

View a Certificate Signing Request

  1. In the WAN Edge List or Controllers tab, select a device.

  2. Click the More Actions icon to the right of the row, and click View CSR to view the certificate signing request (CSR).

View a Device Certificate Signing Request

  1. In the WAN Edge List or Controllers tab, select a Cisco IOS XE SD-WAN device.

  2. Click the More Actions icon to the right of the row, and click View Device CSR to view the certificate signing request (CSR).

    For a Cisco IOS XE SD-WAN device where trustpoint has been configured, clicking the More Actions icon allows you to view three options:

    • View Device CSR

    • Generate Feature CSR

    • View Feature CSR


Note

Cisco vManage will generate alarms only if device certificate is installed through Cisco vManage. If you install certificate manually, Cisco vManage will not generate alarms for certificate expiration.

View the Certificate

  1. In the Controllers tab, select a device.

  2. Click the More Actions icon to the right of the row and click View Certificate.

Generate a Certificate Signing Request

The following procedures describe the process of generating CSRs.

Generate a Controller Certificate Signing Request

  1. From the Cisco vManage menu, choose Configuration > Certificates.

  2. Click Controllers.

  3. For the desired controller, click and choose Generate CSR.

    The Generate CSR window is displayed.

  4. In the Generate CSR window, click Download to download the file to your local PC (that is, to the PC you are using to connect to the Cisco vManage NMS).

  5. Repeat the preceding steps to generate a CSR for another controller.

Generate a Feature Certificate Signing Request

  1. From the Cisco vManage menu, choose Configuration > Certificates.

  2. Click WAN Edge List.

  3. For the desired device, click and choose Generate Feature CSR.

    The Generate Feature CSR window is displayed.

  4. In the Generate Feature CSR window, click OK to continue with the generation of feature CSR. This step authenticates the device trustpoint that has been set and extracts the CSR from the device.

  5. Repeat the steps above for each device for which you are generating a CSR.

Generate a WAN Edge Device Certificate Signing Request

  1. From the Cisco vManage menu, choose Configuration > Certificates.

  2. Click WAN Edge List.

  3. For the desired device, click and choose Renew Device CSR.

    The Renew Device CSR window is displayed.

  4. In the Renew Device CSR window, click OK to continue with the generation of a new CSR.


Note

Cisco vManage Release 20.9.1 and later releases: Clicking Renew Device CSR resets the RSA private and public keys, and generates a CSR that uses a new key pair. Cisco vManage also resets RSA private and public keys before generating a new CSR in Cisco vManage Release 20.6.4 and later Cisco vManage 20.6.x releases.

Cisco vManage releases other than the above-mentioned releases: Clicking Renew Device CSR generates a CSR using the existing key pair.

Reset the RSA Key Pair

  1. In the Controllers tab, select a device.

  2. Click the More Actions icon to the right of the row and click Reset RSA.

  3. Click OK to confirm resetting of the device's RSA key and to generate a new CSR with new public or private keys.

Invalidate a Device

  1. In the Controllers tab, select a device.

  2. Click the More Actions icon to the right of the row and click Invalidate.

  3. Click OK to confirm invalidation of the device.

View Log of Certificate Activities

To view the status of certificate-related activities:

  1. Click the Tasks icon located in the vManage toolbar. Cisco vManage NMS displays a list of all running tasks along with the total number of successes and failures.

  2. Click a row to see details of a task. Cisco vManage NMS opens a status window displaying the status of the task and details of the device on which the task was performed.

View a Signed Certificate

Signed certificates are used to authenticate Cisco SD-WAN devices in the overlay network. To view the contents of a signed certificate using Cisco vManage:

  1. From the Cisco vManage menu, choose Configuration > Certificates.

  2. Click Controllers.

  3. For the desired device, click ... and choose View Certificate to view the installed certificate.

Certificate Revocation

Table 1. Feature History

Feature Name

Release Information

Feature Description

Certificate Revocation

Cisco IOS XE Release 17.7.1a

Cisco SD-WAN Release 20.7.1

Cisco vManage Release 20.7.1

This feature revokes enterprise certificates from devices based on a certificate revocation list that Cisco vManage obtains from a root certificate authority.

Information About Certificate Revocation

If you are using enterprise certificates with Cisco SD-WAN, you can enable Cisco vManage to revoke designated certificates from devices, as needed. For example, you might need to revoke certificates if there has been a security issue at your site.


Note
The certificate revocation feature is disabled by default.

Cisco vManage revokes the certificates that are included in a certificate revocation list (CRL) that Cisco vManage obtains from a root certificate authority (CA).

When you enable the Certificate Revocation feature and provide the URL of the CRL to Cisco vManage, Cisco vManage polls the root CA at a configured interval, retrieves the CRL, and pushes the CRL to Cisco IOS XE SD-WAN devices, Cisco vEdge devices, Cisco vBond Orchestrators, and Cisco vSmart Controllers in the overlay network. Certificates that are included in the CRL are revoked from devices.

When certificates are revoked, they are marked as not valid. Device control connections remain up until the next control connection flap occurs, at which time device control connections are brought down. To bring a device control connection back up, reinstall a certificate on the device and onboard the device.

When Cisco vManage revokes certificates from devices, the devices are not removed from the overlay network, but they are prevented from communicating with other devices in the overlay network. A peer device rejects a connection attempt from a device whose certificate is in the CRL.

Restrictions for Certificate Revocation

  • By default, the Certificate Revocation feature is disabled. When you enable the Certificate Revocation feature for the first time, control connections to all the devices in the network flap. We recommend that you enable the feature for the first time during a maintenance window to avoid service disruption.

    When you disable the Certificate Revocation feature, control connections to all the devices in the network flap. We recommend that you disable the feature during a maintenance window to avoid service disruption

  • You can use the Certificate Revocation feature only if you are using an enterprise CA to sign certificates for hardware WAN edge certificate authorization, controller certificate authorization, or WAN edge cloud certificate authorization.

  • Cisco vManage can connect to a server to retrieve a CRL only through the VPN 0 interface.


Note
Starting from Cisco vManage Release 20.11.1, connections through the VPN 512 are supported.

Configure Certificate Revocation

Before You Begin

Make a note of the URL of the root CA CRL.

Procedure

  1. From the Cisco vManage menu, choose Administration > Settings.

  2. In the Administration Settings window, click Edit next to Certificate Revocation List.

    The certificate revocation options appear.

  3. Click Enabled.

  4. In the CRL Server URL field, enter the URL of the CRL that you created on your secure server.

  5. In the Retrieval Interval field, enter the interval, in hours, at which Cisco vManage retrieves the CRL from your secure server and revokes the certificates that the CRL designates.

    Enter a value from 1 to 24. The default retrieval interval is 1 hour.

  6. Click Save.

    Cisco vManage immediately retrieves the CRL and revokes the certificates that the CRL designates. From then on, Cisco vManage retrieves the CRL according to the retrieval interval period that you specified.

CRL-Based Quarantine

Table 2. Feature History

Feature Name

Release Information

Feature Description

CRL-Based Quarantine

 Cisco vManage Release 20.11.1

With this feature you can quarantine SD-WAN edge devices based on a certificate revocation list that Cisco vManage obtains from a certificate authority.

Information About CRL-Based Quarantine

When you use enterprise certificates with Cisco SD-WAN, you can use Cisco vManage to quarantine SD-WAN edge devices that are compromised, and their certificates have been revoked.


Note
The certificate revocation list (CRL)-based quarantine feature is disabled by default.

  • Cisco vManage revokes the certificates that are included in a certificate revocation list (CRL). Cisco vManage obtains this list from a certificate authority (CA).

  • At defined intervals, Cisco vManage polls the CRL server for the latest CRL. On receiving the list, Cisco vManage analyzes it to determine which SD-WAN edge device is to be quarantined.

  • Cisco vManage checks if the serial numbers of certificates for each valid SD-WAN edge device in the network match the serial numbers of certificates within the CRL. On finding a match, the certificates on the SD-WAN edge devices are not removed to enable the SD-WAN edge devices to retain a control connection to Cisco vManage.

The quarantine process for SD-WAN edge devices is as follows:

  • For each SD-WAN edge device that is quarantined:

    • Cisco vManage moves the SD-WAN edge device to the staging mode. The staging mode shuts down data traffic while maintaining a control connection to Cisco vManage.

    • Cisco vManage generates notifications for the SD-WAN edge device being quarantined.

For each Cisco vSmart controller that is quarantined, Cisco vManage generates notifications for the controller.


Note
The CRL server connects to Cisco vManage through VPN 0 or VPN 512.

Restrictions for CRL-Based Quarantine

  • You can use the CRL-based quarantine feature only if you have an enterprise CA (certificate authority) to sign certificates for hardware WAN edge certificate authorization, controller certificate authorization, or WAN edge cloud certificate authorization.

  • Disable the CRL to switch from certificate revocation to quarantine or quarantine to certificate revocation. You cannot enable the certificate revocation and CRL-based quarantine option at the same time.

Configure CRL-Based Quarantine

Before You Begin

  • From the Cisco vManage menu, choose Administration > Settings. Click any one of the following options and choose enterprise mode to enable the CRL (certificate revocation list).

    • In the Controller Certificate Authorization field, choose Enterprise Root Certificate or

    • In the Hardware WAN Edge Certificate Authorization field, choose Enterprise Certificate (signed by Enterprise CA) or

    • In the WAN Edge Cloud Certificate Authorization field, choose Manual (Enterprise CA - recommended).

  • Make a note of the URL of the CA CRL.


Note
By default, the CRL-based quarantine feature is disabled.

To configure CRL-based quarantine:

  1. From the Cisco vManage menu, choose Administration > Settings.

  2. In the Administration Settings page, click Edit next to Certificate Revocation List.

    The Certificate Revocation and CRL-Based Quarantine options appear.

  3. Click CRL-Based Quarantine.

  4. In the CRL Server URL field, enter the URL of the CRL that you created on your secure server.

  5. In the Retrieval Interval field, enter the interval in hours. Cisco vManage uses the certificate revocation list (CRL) to quarantine SD-WAN edge devices.

    Enter a value from 1 to 24. The default retrieval interval is 24 hours.

  6. Click VPN 0 or VPN 512. Cisco vManage connects to a server to retrieve the CRL through the VPN 0 or VPN 512 interface.

  7. Click Save.

    Cisco vManage at intervals, polls the CRL server for the latest CRL. This list is analyzed to determine which SD-WAN edge devices are to be quarantined.


Note
If the CRL is disabled in earlier releases, the CRL remains disabled after upgrading to the Cisco vManage Release 20.11.1. If the CRL was enabled in a release prior to Cisco vManage Release 20.11.1, then after upgrading to Cisco vManage Release 20.11.1, the certificate revocation option is enabled with VPN0 as the default.

Manage Root Certificate Authority Certificates in Cisco vManage

Feature Name

Release Information

Description

Support for Managing Root CA Certificates in Cisco vManage

Cisco IOS XE Release 17.4.1a

Cisco SD-WAN Release 20.4.1

Cisco vManage Release 20.4.1

This feature enables you to add and manage root certificate authority (CA) certificates.

Add a Root Certificate Authority Certificate

  1. In Cisco vManage, choose Administration > Root CA Management.

  2. Click Modify Root CA.

  3. In the Root Certificate field, paste in certificate text, or click Select a File to load a certificate from a file.

  4. Click Add. The new certificate appears in the certificate table. The Recent Status column indicates that the certificate has not yet been installed.

  5. Click Next and review the details of any certificates that have not been installed.

  6. Click Save to install the certificate(s). The new certificate appears in the certificate table.

View a Root Certificate Authority Certificate

  1. In Cisco vManage, choose Administration > Root CA Management.

  2. (optional) In the search field, enter text to filter the certificate view. You can filter by certificate text or attribute values, such as serial number.

  3. In the table of certificates, click More Actions () and choose View. A pop-up window appears, displaying the certificate and its details.

Delete a Root Certificate

Use this procedure to delete a root Certificate Authority (CA) certificate.

  1. In Cisco vManage, choose Administration > Root CA Management.

  2. Click Modify Root CA.

  3. Select one or more root certificates in the table and click the trash icon in the Action column. The table shows the certificate as marked for deletion.

  4. Click Next and review the details of any certificates that are marked for deletion.

  5. Click Save to delete the certificate(s).

Enterprise Certificates

In Cisco IOS XE SD-WAN Release 16.11.1 and Cisco SD-WAN Release 19.1, enterprise certificates were introduced. Enterprise certificates replace the controller certificates authorization used previously.


Note
When using enterprise certificates for Cisco SD-WAN devices and controllers, ensure that you use root certificates with an RSA key that is at least 2048 bit.

Note
For purposes of certificate management, the term controller is used to collectively refer to Cisco vManage, the Cisco vSmart Controller, and the Cisco vBond Orchestrator.

Note

For more information about enterprise certificates, see the Cisco SD-WAN Controller Certificates and Authorized Serial Number File Prescriptive Deployment Guide.

Use the Certificates page to manage certificates and authenticate WAN edge and controller devices in the overlay network.

Two components of the Cisco SD-WAN solution provide device authentication:

  • Signed certificates are used to authenticate devices in the overlay network. Once authenticated, devices can establish secure sessions between each other. It is from Cisco vManage that you generate these certificates and install them on the controller devices—Cisco vManage, Cisco vBond Orchestrators, and Cisco vSmart Controllers.

  • The WAN edge authorized serial number file contains the serial numbers of all valid vEdge and WAN routers in your network. You receive this file from Cisco SD-WAN, mark each router as valid or invalid, and then from Cisco vManage, send the file to the controller devices in the network.

Install the certificates and the WAN edge authorized serial number file on the controller devices to allow the Cisco SD-WAN overlay network components to validate and authenticate each other and thus to allow the overlay network to become operational.

Configure Enterprise Certificates for Cisco SD-WAN Devices and Controllers

Feature Name

Release Information

Description

Support for Secondary Organizational Unit

Cisco IOS XE Release 17.2.1r

Cisco SD-WAN Release 20.1.1

This optional feature allows you to configure a secondary organizational unit when configuring the certificates. If specified, this setting is applied to all controllers and edge devices.

Support for Subject Alternative Name (SAN)

Cisco IOS XE Release 17.4.1a

Cisco SD-WAN Release 20.4.1

Cisco vManage Release 20.4.1

This feature enables you to configure subject altenative name (SAN) DNS Names or uniform resource identifiers (URIs). It enables multiple host names and URIs to use the same SSL certificate.

Support for Specifying Any Organization for WAN Edge Cloud Device Enterprise Certificates

Cisco SD-WAN Controllers Release 20.11.1

When configuring controller certificate authorization for enterprise certificates on WAN edge cloud devices, you can specify any organization in the Organization field. You are not limited to names such as Viptela LLC, vIPtela Inc, or Cisco Systems. This enables you to use your organization’s certificate authority name or a third-party certificate authority name.

Enterprise certificates allow organizations to use their own private certificate signing authority rather than having to rely on public certificate signing authorities. You can also apply custom certificate properties using the Set CSR Properties field.


Note

In the 16.11/19.1 release, enterprise certificates were introduced. Enterprise certificates replace the controller certificates authorization that were used previously. An independent organization handles the signing of enterprise certificates.

Use the Configuration > Certificates page to manage certificates and authenticate WAN edge and controller devices in the overlay network.

Two components of the Cisco SD-WAN solution provide device authentication:

  • Signed certificates are used to authenticate devices in the overlay network. Once authenticated, devices can establish secure sessions between each other. It is from Cisco vManage that you generate these certificates and install them on the controller devices—Cisco vManage instances, Cisco vBond orchestrators, and Cisco vSmart controllers.

  • WAN edge authorized serial number file contains the serial numbers of all valid vEdge and WAN routers in your network. You receive this file from Cisco Plug and Play (PnP), mark each router as valid or invalid, and then from Cisco vManage, send the file to the controller devices in the network.

You must install the certificates and the WAN edge authorized serial number file on the controller devices to allow the Cisco SD-WAN overlay network components to validate and authenticate each other and thus to allow the overlay network to become operational.


Note
For purposes of certificate management, the term controller refers collectively to Cisco vManage, Cisco vSmart controller, and Cisco vBond orchestrator.

Once you reset a WAN edge device, you have to install the enterprise root certificate manually on the device. If you perform an upgrade, your certificate is retained.


Note

Cisco vManage supports only Base 64 encoded certificates. Other formats, such as DER, encoded are not supported.

For example, the PEM extension is used for different types of X.509v3 files that contain ASCII (Base64) armored data prefixed with a --BEGIN ... line.

Enterprise Certificate Supported Devices

The following are the supported enterprise supported devices.

Device

Supported

vManage

Yes

vBond

Yes

vSmarts

Yes

Edges

All hardware WAN edges

vEdge/IOS-XE-SD-WAN except ASR1002-X, ISRv, CSR1000v

Configuring Enterprise Certificates

  1. From the Cisco vManage menu, choose Administration > Settings > Hardware WAN Edge Certificate Authorization and choose Edit.

  2. Click Enterprise Certificate (signed by Enterprise CA).

    On Box Certificate (TPM/SUDI Certificate) is the default option.

  3. Click Set CSR Properties if you want to specify custom certificate properties. The following properties appear:

    • Domain Name: Network domain name

    • Organizational Unit


      Note

      Organizational Unit is a noneditable field. The organization unit must be the same as the organization name used in Cisco vManage.


      Note

      For devices using Cisco IOS XE Release 17.9.3a or later, the certificates that you install on the devices do not require the Organizational Unit field to be defined. However, if a signed certificate includes the Organizational Unit field, the field must match the organization name configured on the device. This addresses the policy of the Certification Authority Browser Forum (CA/Browser Forum), as of September 2022, to stop including an organizational unit in signed certificates. Despite the change in policy of the CA/Browser Forum, some certificate authorities might still include an organizational unit in the signed certificate.

    • Secondary Organization Unit: This optional field is only available in Cisco IOS XE Release 17.2 or Cisco SD-WAN Release 20.1.x and onwards. Note that if this optional field is specified, it will be applied to all controllers and edge devices.


      Note

      If a signed certificate includes the Organizational Unit field or the Secondary Organizational Unit field, one of these fields must match the organization name configured on the device. This addresses the policy of the Certification Authority Browser Forum (CA/Browser Forum), as of September 2022, to stop including an organizational unit in signed certificates. Despite the change in policy of the CA/Browser Forum, some certificate authorities might still include an organizational unit in the signed certificate.

    • Organization

    • City

    • State

    • Email

    • 2-Letter Country Code

    • Subject Altenative Name (SAN) DNS Names: (optional) You can configure multiple host names to use the same SSL certificate. Example: cisco.com and cisco2.com

    • Subject Altenative Name (SAN) URIs: (optional) You can configure multiple uniform resource identifiers (URIs) to use the same SSL certificate. Example: cisco.com and support.cisco.com

  4. Chose Select a file to upload a root certificate authority file.

    The uploaded root certificate authority displays in the text box.

  5. Click Save.

  6. From the Cisco vManage menu, choose Configuration > Devices.

  7. Select the Upload WAN Edge List tab.

  8. Browse to the location of the Cisco IOS XE SD-WAN devices and Cisco vEdge devices list and click Upload.

  9. On the Configuration > Certificates page, click ... and choose an action:

    • View Enterprise CSR (certificate signing request): Copy the CSR and sign it using the enterprise root certificate, and upload the signed certificate on vManage using the Install Certificate operation. vManage automatically discovers on which hardware edge the certificate needs to be installed on.

    • View Enterprise Certificate: After the certificate is installed, you can see the installed certificate and download it.

    • Renew Enterprise CSR: If you need to install a new certificate on the hardware device, you can use the Renew Enterprise CSR option. The Renew Enterprise CSR option generates the CSR. You can then view the certificate (View Enterprise CSR option) and install the certificate (Install Certificate option). This step flaps the control connections as a new serial number. You can see the new serial number and expiry data on the Configuration > Certificates page.


      Note

      The certificates that you install on devices in the Cisco SD-WAN overlay do not require the Organizational Unit field to be defined. However, if a signed certificate includes the Organizational Unit field, the field must match the organization name configured on the device.

    • Revoke Enterprise Certificate: This option removes the enterprise certificate from the device and moves it back to prestaging. The device has only vBond and vManage controls up.

    For a Cisco IOS XE SD-WAN device, click ... and choose an action:

    • View Feature CSR:

      • Copy the CSR available from the Cisco IOS XE SD-WAN device.

      • Sign the certificate using the enterprise root certificate from a certifying authority.

      • Upload the signed certificate on Cisco vManage using the Install Feature Certificate operation.

        Cisco vManage automatically discovers on which hardware edge the certificate needs to be installed. After you install feature certificate, the option View Feature Certificate is available.

    • View Feature Certificate: After you install the feature certificate, you can view the feature certificate and download it.

    • Revoke Feature Certificate: This option removes the feature certificate or trustpoint information from the Cisco IOS XE SD-WAN device. After revoking a certificate, all actions against devices are not available. To view all actions for a device, ensure that you configure logging information of the device to a Transport Layer Security (TLS) profile with authentication type as server, and then configure back to mutual. Alternatively, to view the actions, reset Cisco IOS XE SD-WAN device to factory default configuration.

      To reset a device to factory default:

      • From the Cisco vManage menu, choose Configuration > Templates.

      • Create a device template with the factory-default template.

        The factory-default template is, Factory_Default_feature-name_Template. See Create a Device Template from Feature Templates for information about creating a device template with feature template.

  10. Click Install Certificate or Install Feature Certificate to upload the signed certificate.

    The certificate must be a signed certificate. Initially, the state is CSR Generated.

    The state changes to Certificate Installed when successfully installed.

  11. From the Cisco vManage menu, choose Configuration > Certificates. You can see enterprise certificate columns, including the device type, chassis-id, enterprise serial number, and enterprise certificate date.

Generate a Bootstrap Configuration

The on-site bootstrap process involves generating a bootstrap configuration file that loads from a bootable USB drive or from internal boot flash to a device that supports SD-WAN. When the device boots, it uses the information in the configuration file to come up on the network.


Note

If you need to generate a bootstrap configuration, use the Configuration > Devices page, click , and choose Generate Bootstrap Configuration.


Note

Beginning with Cisco vManage Release 20.7.1, there is an option available when generating a bootstrap configuration file for a Cisco vEdge device, enabling you generate two different forms of the bootstrap configuration file.

  • If you are generating a bootstrap configuration file for a Cisco vEdge device that is using Cisco SD-WAN Release 20.4.x or earlier, then check the The version of this device is 20.4.x or earlier check box.

  • If you are generating a bootstrap configuration for a Cisco vEdge device that is using Cisco SD-WAN Release 20.5.1 or later, then do not use the check box.

Deleting a WAN Edge Device

Before deleting a WAN edge device, invalidate the device.

  1. From the Cisco vManage menu, choose Configuration > Certificates.

  2. In the row showing the device, click Invalid to invalidate the device.

Authorize a Controller Certificate for an Enterprise Root Certificate

  1. From the Cisco vManage menu, choose Administration > Settings.

  2. In the Controller Certificate Authorization area, click Edit.

  3. Click Enterprise Root Certificate. If a warning appears, click Proceed to continue.

  4. Optionally, click Set CSR Properties to configure certificate signing request (CSR) details manually.


    Note

    In a multi-tenant scenario, if you configure CSR properties manually and if you are using Cisco SD-WAN Controllers Release 20.11.1 or later, then ensure that devices in the network are using Cisco IOS XE Release 17.11.1a or later. In a single-tenant scenario, this is not required.

    In a multi-tenant scenario, if you configure CSR properties manually, then when you are ready to generate a CSR for a tenant device, enter the tenant's organization name in the Secondary Organizational Unit field described below. In a multi-tenant scenario, if you are generating a CSR for a service provider device, this is not required.

    The following properties appear:

    • Domain Name: Network domain name

    • Organizational Unit


      Note

      Organizational Unit is a noneditable field. This field is auto-filled with the organization name that you have configured for Cisco vManage in Administration > Settings > Organization Name.

    • Secondary Organizational Unit: This optional field is only available in Cisco IOS XE Release 17.2 or Cisco SD-WAN Release 20.1.x and onwards. Note that if this optional field is specified, it will be applied to all controllers and edge devices.

    • Organization: Beginning with Cisco vManage Release 20.11.1, when configuring controller certificate authorization for enterprise certificates on WAN edge cloud devices, you can specify any organization in this field. You are not limited to names such as Viptela LLC, vIPtela Inc, or Cisco Systems. This enables you to use your organization’s certificate authority name or a third-party certificate authority name. The maximum length is 64 characters, and can include spaces and special characters. Cisco vManage validates the name when you enter it.

    • City

    • State

    • Email

    • 2-Letter Country Code

    • Subject Altenative Name (SAN) DNS Names: (optional) You can configure multiple host names to use the same SSL certificate. Example: cisco.com and cisco2.com

    • Subject Altenative Name (SAN) URIs: (optional) You can configure multiple uniform resource identifiers (URIs) to use the same SSL certificate. Example: cisco.com and support.cisco.com

  5. Paste an SSL certificate into the Certificate field or click Select a file and navigate to an SSL certificate file.

  6. (Optional) In the Subject Alternative Name (SAN) DNS Names field, you can enter multiple host names to use the same SSL certificate.

    Example: cisco.com and cisco2.com

  7. (Optional) In the Subject Alternative Name (SAN) URIs field, you can enter multiple URIs to use the same SSL certificate.

    Example: cisco.com and support.cisco.com

    This is helpful for an organization that uses a single certificate for a host name, without using different subdomains for different parts of the organization.

Cisco PKI Controller Certificates

From software release 19.x and onwards, there is an option to use Cisco as the certificate authority (CA) instead of Symantec/Digicert for Cisco SD-WAN controller certificates.

This section describes deployment types, scenarios to administer, install, and troubleshoot controller certificates using Cisco public key infrastructure (PKI). Cisco PKI provides certificate management to support security protocols such IP Security (IPSec), secure shell (SSH), and secure socket layer (SSL).

The major difference between Symantec/Digicert and Cisco PKI certificates is that Cisco PKI certificates are linked to a Smart Account (SA) and Virtual Account (VA) in Plug and Play (PnP) and do not require manual approval using a portal like Digicert. Each VA has a limit of 100 certificates, meaning that each overlay has a limit of 100 certificates, and after the certificate signing request (CSR) is generated, the approval and installation happens automatically if the Cisco vManage settings are set correctly.

Devices are added and certificates are installed automatically from the Cisco PKI servers. No intervention is required to approve the certificate.

Supported Devices for Cisco PKI Certificates

The following are the supported devices for using Cisco PKI certificates.

Device

Support

Cisco vManage

Yes

Cisco vBond Orchestrator

Yes

Cisco vSmart Controller

Yes

Cisco vEdge devices

Yes

Cisco IOS XE SD-WAN devices

Yes

Use Cases for Cisco PKI Controller Certificates

Use Case: Cisco-Hosted Cloud Overlays with Software Version 19.x and Above

Prerequisites

Cisco vManage and the controllers should all be running the same software version.

On the Configuration > Devices > Controllers page, ensure that the OOB IP address and credentials are updated for all the controllers.

You can verify the software version for the new or expired overlays without having control connections using SSH.

  1. SSH to each of the controllers and the version should show during the SSH process.

  2. You do not need to actually have the credentials work, therefore you can run this on a controller where the credentials do not work.

    Repeat this process for all the controllers in the overlay to make sure.

  3. Customer Smart Account credentials need to be ready using either of the following methods:

    1. Email and request the customer contact from PnP trigger notifications to individually email you and provide the Smart Account credentials.

      or

    2. Email and request the customer contact to log on to Cisco vManage and add them. Also ensure that you ask the customer for their IPs tobe added to the allowed list..

      Ensure that if asking the customer to provide their customer contact to log on, this step is done after asking the customer for their IPs to be added to the allowed list, so that they can reach the Cisco vManage GUI, be be able to log in, and input their Smart Account credentials.

      To find your Smart Account credentials, from the Cisco vManage menu, choose Administration > Settings > Smart Account Credentials .

      Enter the user name and password and click Save.

Runbook to Request and Install Cisco PKI Certificates

  1. Verify that you have satisfied the prerequisites and that you have added the Smart Account credentials.

  2. From the Cisco vManage menu, choose Administration > Settings > Controller Certificate Authorization and click Edit.

  3. Click Cisco (Recommended).


    Note

    Cisco vManage displays an error if the Smart Account credentials are not added. Check the prerequisites.

  4. Set the validity period to 1 year for POCs, 2 years for production overlays in the drop-down.

  5. Set Certificate Retrieve Interval to 1 minute and press Save.


    Note

    Currently there is no customer email field to notify customers about approval because the certificates are auto-approved as soon as the CSR request is done.

  6. From this step onwards, the process is the same as for the Symantec/Digicert controllers in the Cisco vManage GUI.

    From the Cisco vManage menu, choose Configuration > Certificates and click Controllers. Click and choose Generate CSR.

    The operation status shows the CSR sent for signing, the certificate signed and installed automatically without needing human intervention.

  7. The certificates are installed automatically. If successful, the Configuration > Certificates > Controllers page shows the following:

    • Expiration date for the certificates for each controller

    • Operation Status column:

      • Cisco vBond Orchestrator: "Installed"

      • Cisco vManage and Cisco vSmart Controller: "vBond Updated"

    • Certificate Serial column: Certificate serial number

  8. Ensure that the control connections have come up to the controllers on the Cisco vManage dashboard.

Use Case: Migration of an Active Existing Overlay from Digicert to Cisco PKI Controller Certificates During Certificate Renewal

Prerequisites

Cisco vManage, controllers, and vEdges should all have their control connections up.

Ensure OOB IP address and credentials are updated in Configuration > Devices > Controllers. For each controller, click and verify the updates.

Migrate an Active Existing Overlay from Digicert to Cisco PKI Controller Certificates

  1. In Cisco vManage, verify that the control connections to controllers and Cisco vEdge devices are up.

    If the control connections are not up, migrating from Digicert to Cisco PKI cannot proceed.

    If the control connections are only partially up, that is some Cisco vEdge devices are control down, then those Cisco vEdge devices will not be able to automatically reconnect to the controllers if their control comes up after the certificates have been moved to Cisco PKI.

    If it is a case of expired certificates and control connections are down, then certificates need to be renewed on Digicert first and control connections need to be brought up before migrating them to the Cisco PKI controller certificates.

  2. Verify that the software version of the controllers is 19.x or later.

    How to Verify the Software Version for the Active Existing Overlays (with Valid Control Connections to Controllers) Using Cisco vManage

    1. From the Cisco vManage menu, choose Maintenance > Software Upgrade.

    2. Click vManage and check the Current Version column. Verify that it is 19.x or later.

      If the control connections are up and Cisco vManage and controller versions are not 19.x or later, then upgrade them first (Cisco vEdge devices need not be upgraded) before migration to Cisco PKI can be done.


      Note

      It is mandatory that controllers upgraded to 19.x should immediately have their certificates renewed with Cisco PKI as part of the upgrade; they cannot be allowed to run with the existing Symantec certificates even if those certificates are going to remain valid.

    3. After verifying the prerequisites, check that the Cisco PKI root-CA has been propagated to all the controllers and the Cisco vEdge devices. This requires SSH access to the controllers.

      1. SSH into the Cisco vManage and controllers and run the following command: show certificate root-ca-cert | include Cisco.

        If the output is blank or does not show the result, escalate to the cloud infrastructure team.

    4. Customer Smart Account credentials need to be ready by either of the following methods:

      1. Email and request the customer contact from a PnP trigger notification to individually email you and provide the Smart Account credentials.

        or

      2. Email and request your customer contact to log on to the Cisco vManage themselves and add them. Also ensure that you ask for the customer IPs to be added to the allowed list.

        Ensure that if asking the customer to provide, this step is done after asking the customer for their IPs to be added to the allowed list, so that they can reach the Cisco vManage GUI, be able to log on, and input the Smart Account Credentials.

        To view the Smart Account credentials, from the Cisco vManage menu, choose Administration > Settings and see the Smart Account Credentials section.

      3. Enter the username and password and click Save.

        Once all the prerequisites have been satisfied, follow the Runbook to Request and Install Cisco PKI Certificates procedure to request CSRs and get the Cisco certificates installed. Verify that all the control connections to the controllers and the Cisco vEdge devices have come back up. If not, then escalate to the cloud infrastructure team.

Runbook to Request and Install Cisco PKI Certificates

  1. Verify that you have satisfied the prerequisites and that you have added the Smart Account credentials.

  2. From the Cisco vManage menu, choose Administration > Settings, and in the Controller Certificate Authorization section, click Edit.

  3. Click Cisco (Recommended).


    Note

    Cisco vManage displays an error if the Smart Account credentials are not added. Check the prerequisites.

  4. Set the validity period to 1 year for POCs, 2 years for production overlays in the drop-down.

  5. Set Certificate Retrieve Interval to 1 minute and press Save.


    Note

    Currently there is no customer email field to notify customers about approval because the certificates are auto-approved as soon as the CSR request is done.

  6. From this step onwards, the process is the same as for the Symantec/Digicert controllers in the Cisco vManage GUI.

    From the Cisco vManage menu, choose Configuration > Certificates and click Controllers . Click and choose Generate CSR.

    The operation status shows the CSR sent for signing, the certificate signed and installed automatically without requiring intervention.

  7. The certificates are installed automatically. If successful, the Configuration > Certificates > Controllers page shows the following:

    • Expiration date for the certificates for each controller

    • Operation Status column:

      • Cisco vBond Orchestrator: "Installed"

      • Cisco vManage and Cisco vSmart Controller: "vBond Updated"

    • Certificate Serial column: Certificate serial number

  8. Ensure that the control connections have come up to the controllers on the Cisco vManage dashboard.

  9. Set the Certificate Retrieve Interval to 1 minute.

  10. Click Sync Root Certificate to migrate the Cisco vEdge devices or Cisco IOS XE SD-WAN devices in Cisco vManage to Cisco pki. This support available from 19.2.1 version or later.

  11. Click Save.

Use Case: Submitting CSRs and Downloading Certificates on On-Premises Controllers

The following steps require access to PnP and to the SA/VA in question. Customers have access to their own SA/VA.

Prerequisites

The prerequisites are the same in the above cases, except that you use the manual method for installing the certificates.

Runbook

  1. From the Cisco vManage menu, choose Administration > Settings. In the Controller Certificate Authorization section, verify that it is set to Manual.

  2. Generate the CSRs for the controllers.

    From the Cisco vManage menu, choose Configuration > Certificates and click Controllers. Click and choose Generate CSR.

    Download each CSR to a file with a filename .csr and keep it ready to submit to the PnP portal for getting the signed certificates.

  3. Log on to the PnP portal to the required SA/VA and select the Certificates tab.

  4. Click Generate Certificate and follow the steps to give a name for the certificate file, paste the CSR, and download the signed certificate.

    The finished certificate is ready for download. Repeat this process for each CSR and download all the required certificates.

  5. To install the downloaded certificates, from the Cisco vManage menu, choose Configuration > Certificates and click Controllers. Click Install Certificate.

    After installation, verify that the control connections are up.

Debugging and Log Information

  1. Check the Cisco vBond Orchestrator profile under the VA in PnP to verify that the correct organization name exists.

  2. Check the output at /var/log/nms/vmanage-server.log on Cisco vManage for logs of the entire certificate process.

  3. Verify that Cisco vManage has internet connectivity to reach the Cisco PKI servers.

Web Server Certificate for Cisco vManage

To establish a secure connection between your web browser and the Cisco vManage server using authentication certificates, you must generate a CSR to create a certificate, have it signed by a root CA, and then install it. You must install a separate certificate on each Cisco vManage server in a cluster by performing the following steps for each server:

  1. From the Cisco vManage menu, choose Administration > Settings.

  2. In the Web Server Certificate area, click CSR.

  3. In the Common Name field, enter the domain name or IP address of the Cisco vManage server. For example, the fully-qualified domain name of Cisco vManage could be vmanage.org.local.

  4. In the Organizational Unit field, enter the unit name within your organization — for example, Network Engineering.

  5. In the Organization field, enter the exact name of your organization as specified by your root CA — for example, Viptela Inc.

  6. In the City field, enter the name of the city where your organization is located — for example, San Jose.

  7. In the State field, enter the state in which your city is located — for example, California.

  8. In the 2-Letter Country Code field, enter the two-letter code for the country in which your state is located. For example, the two-letter country code for the United States of America is US.

  9. Click Validity and choose the validity period for the certificate.

  10. Optionally, in the Subject Alternative Name (SAN) DNS Names field, enter the names of DNS severs to which the certificate trust should be extended. If you enter more than one DNS server name, separate each name with a space or a comma.


    Note

    Cisco SD-WAN supports SAN DNS names, from Cisco IOS XE SD-WAN release 16.11 and Cisco SD-WAN release 19.1.

  11. Optionally, in the Subject Alternative Name (SAN) URIs field, enter the URIs of resources to which the certificate trust should be extended. If you enter more than one URI, separate each URI with a space or a comma.

    Enter each URI in scheme:value format, where scheme is the protocol for accessing the resource and value is the resource. For example, https://example.example.com or scp://example.example.com.


    Note

    Cisco SD-WAN supports SAN URIs beginning with Cisco IOS XE SD-WAN release 16.11 and Cisco SD-WAN release 19.1.

  12. Click Generate to generate the CSR.

  13. Send the CSR to your CA server to have it signed.

  14. When you receive the signed certificate, click Certificate near the Web Server Certificate bar to install the new certificate. The View box displays the current certificate on the Cisco vManage server.

  15. Copy and paste the new certificate in the box. Alternatively, click Import and Select a File to download the new certificate file.

  16. Restart the application server and log in to Cisco vManage.

View Web Server Certificate Expiration Date 

When you establish a secure connection between your web browser and the Cisco vManage server using authentication certificates, configure the time period for which the certification is valid (in Step 8 in the previous section). At the end of this time period, the certificate expires. The Web Server Certificate bar shows the expiration date and time.

Starting 60 days before the certificate expires, the Cisco vManage dashboard displays a notification indicating that the certificate will expire soon. This notification is then displayed again 30, 15, and 7 days before the expiration date, and then daily.

Enable Reverse Proxy

Table 3. Feature History
Feature Name Release Information Description
Support for Reverse Proxy with Cisco IOS XE SD-WAN Devices and Cisco SD-WAN Multitenancy

Cisco IOS XE Release 17.6.1a

Cisco SD-WAN Release 20.6.1

Cisco vManage Release 20.6.1

 With this feature, you can deploy a reverse proxy in your overlay network between Cisco IOS XE SD-WAN devices and Cisco vManage and Cisco vSmart Controllers. Also, this feature enables you to deploy a reverse proxy in both single-tenant and multitenant deployments that include Cisco vEdge devices or Cisco IOS XE SD-WAN devices. In a multitenant deployment, the Service Provider manages reverse proxy and the associated configuration.

In a standard overlay network, Cisco SD-WAN edge devices initiate direct connections to the Cisco SD-WAN controllers (Cisco vManage and Cisco vSmart Controllers) and exchange control plane information over these connections. The WAN edge devices are typically located in branch sites and connect to the Cisco SD-WAN controllers over the internet. As a result, Cisco vManage and Cisco vSmart Controllers are also connected directly to the internet.

For security, or other reasons, you may not want the Cisco SD-WAN controllers to have direct internet connections. In such a scenario, you can deploy a reverse proxy between the Cisco SD-WAN controllers and the WAN edge devices. The reverse proxy acts as an intermediary to pass control traffic between the Cisco SD-WAN controllers and the WAN edge devices. Instead of communicating directly with Cisco vManage and the Cisco vSmart Controllers, the WAN edge devices communicate with the reverse proxy, and the reverse proxy relays the traffic to and from Cisco vManage and Cisco vSmart Controllers.

The following figure illustrates a reverse proxy deployed between a WAN edge device and Cisco vManage and the Cisco vSmart Controllers.

You can deploy a reverse proxy in both single-tenant and multi-tenant Cisco SD-WAN deployments.

Restrictions for Enabling Reverse Proxy Support

  • In a multitenant Cisco SD-WAN overlay network, you can deploy a reverse proxy device with only a three-node Cisco vManage cluster. Deployment of the reverse proxy is only supported with a TLS-based control plane for Cisco vManage and Cisco vSmart Controllers.

  • You cannot deploy a reverse proxy with a Cisco vEdge 5000 router.

  • You cannot deploy a reverse proxy with IPv6 control connections.

Provision Certificates on the Reverse Proxy

Before exchanging traffic, the reverse proxy and the WAN edge devices must authenticate each other.

On the reverse proxy you must provision a certificate that is signed by the CA that has signed the certificate of the Cisco SD-WAN controllers. This certificate is used by the reverse proxy to verify the WAN edge devices.

To generate a Certificate Signing Request (CSR) for the reverse proxy and have it signed by Cisco, do as follows:

  1. Run the following command on the reverse proxy:

    proxy$ openssl req -new -days 365 -newkey rsa:2048 -nodes -keyout Proxy.key -out Proxy.csr

    When prompted, enter values as suggested in the following table:

    Property Description
    Country Name (2 letter code)

    Any country code.

    Example: US
    State or Province Name

    Any state or province.

    Example: CA
    Locality Name

    Any locality.

    Example: San Jose
    Organization Name

    Use either "vIPtela Inc" or "Viptela LLC".

    Starting from Cisco IOS XE Release 17.10.1a, you can use "Cisco Systems" string as the Organization Name for enterprise certificates.

    Example: Viptela LLC
    Organizational Unit Name

    Use the “organization” name configured on the overlay.

    Example: cisco-sdwan-12345
    Common Name

    Host name ending with “.viptela.com”.

    Example: proxy.viptela.com
    Email Address

    Use any valid email address.

    Example: someone@example.com

  2. Get the CSR signed by Cisco.

    • If you use Symantec/Digicert as the CA for the Cisco SD-WAN controllers, open a case with Cisco TAC to sign the CSR.

    • If you use Cisco Public Key Infrastructure (PKI) as the CA for the Cisco SD-WAN controllers, submit the CSR on the Cisco Network Plug and Play (PnP) application and retrieve the signed certificate.

Enable Reverse Proxy

  1. From the Cisco vManage menu, choose Administration > Settings.

  2. For the Reverse Proxy setting, click Edit.

  3. For Enable Reverse Proxy, click Enabled.

  4. Click Save.

Configure Reverse Proxy Settings on Cisco SD-WAN Controllers

  1. From the Cisco vManage menu, choose Configure > Devices.

  2. Click Controllers.

  3. For the desired Cisco vManage instance or Cisco vSmart Controller, click and click Add Reverse Proxy.

    The Add Reverse Proxy dialog box appears.

  4. To map a private IP address and port number to a proxy IP address and port number, do as follows:

    1. Click Add Reverse Proxy.

    2. Enter the following details:

      Private IP The private IP address is the IP address of the transport interface in VPN 0.
      Private Port This is the port used to establish the connections that handle control and traffic in the overlay network. The default port number is 12346.
      Proxy IP Proxy IP address to which private IP address must be mapped.
      Proxy Port Proxy port to which the private port must be mapped.

    3. If the Cisco vManage instance or Cisco vSmart Controller has multiple cores, repeat Step 4 a and Step 4 b for each core.

  5. To delete a private IP address-port number to proxy IP address-port number mapping, find the mapping and click the trash icon.

  6. To save the reverse proxy settings, click Add.

    To discard the settings, click Cancel.

  7. In the Security feature template attached to the Cisco vManage instance or Cisco vSmart Controller, choose TLS as the transport protocol.

After you configure reverse proxy settings on a Cisco vManage instance or a Cisco vSmart Controller, WAN edge devices in the overlay network are provisioned with a certificate for authentication with the reverse proxy.

  1. When a reverse proxy is deployed, Cisco vBond Orchestrator shares the details of the reverse proxy with the WAN edge devices.

  2. On learning about the reverse proxy, a WAN edge device initiates the installation of a signed certificate from Cisco vManage.

  3. After the certificate is installed, the WAN edge device uses the certificate for authentication with the reverse proxy and connects to the reverse proxy.

Disable Reverse Proxy


Note

Before you disable reverse proxy, delete any private IP address-port number to proxy IP address-port number mappings that you have configured for Cisco vManage instances and Cisco vSmart Controller. See Configure Reverse Proxy Settings on Cisco SD-WAN Controllers for information about deleting the mappings.

  1. From the Cisco vManage menu, choose Administration > Settings.

  2. For the Reverse Proxy setting, click Edit.

  3. For Enable Reverse Proxy, click Disabled.

  4. Click Save.

Monitor Private and Proxy IP Addresses of Cisco SD-WAN Controllers and WAN Edge Devices

  1. From the Cisco vManage menu, choose Monitor > Devices.

    Cisco vManage Release 20.6.x and earlier: From the Cisco vManage menu, choose Monitor > Network.

  2. Click on the hostname of a Cisco vManage instance, Cisco vSmart Controller, or a WAN edge device.

  3. In the left pane, click Real Time.

  4. From the Device Options drop-down list, choose Control Connections.

    In the table that appears, the entries in the Private IP and Private Port columns are the private IP address and port number of the transport interface in VPN 0. The entries in the Public IP and Public Port columns are the proxy IP address and port number.

Monitor Reverse Proxy Using CLI

Example: Monitor Private and Proxy IP Address and Port Numbers of WAN Edge Devices on Cisco SD-WAN Controllers

The following is a sample output from the execution of the show control connections command on a Cisco vSmart Controller. In the command output, for a WAN edge device, the entries in the PEER PRIVATE IP and PEER PRIV PORT columns are the configured TLOC IP address and port number of the WAN edge interface. The entries in the PEER PUBLIC IP and PEER PUB PORT columns are the corresponding IP address and port number of the reverse proxy interface. The same command can also be executed on a Cisco vManage instance to obtain a similar output. 

vsmart1# show control connections
                                                                  PEER                PEER                                          
      PEER    PEER PEER            SITE       DOMAIN PEER         PRIV    PEER        PUB                                           
INDEX TYPE    PROT SYSTEM IP       ID         ID     PRIVATE IP   PORT    PUBLIC IP   PORT    ORGANIZATION   REMOTE COLOR     STATE UPTIME     
-------------------------------------------------------------------------------------------------------------------------------------------------
0     vbond   dtls 172.16.1.2         0          0      10.1.1.2     12346   10.1.1.2    12346   EXAMPLE-ORG    default         up     53:08:18:50
0     vmanage tls  172.16.1.6         1          0      10.2.100.6   45689   10.2.100.6  45689   EXAMPLE-ORG    default         up     53:08:18:32
1     vedge   tls  1.1.100.1       100        1      10.3.1.2     57853   10.2.100.1  53624   EXAMPLE-ORG    biz-internet    up     53:08:18:44
1     vedge   tls  1.1.101.1       101        1      10.4.1.2     55411   10.2.100.1  53622   EXAMPLE-ORG    biz-internet    up     53:08:18:48
1     vbond   dtls 172.16.1.2         0          0      10.1.1.2     12346   10.1.1.2    12346   EXAMPLE-ORG    default         up     53:08:18:51
 
vsmart1#
Example: View Mapping of SD-WAN Controller Private IP Address and Port Number to Proxy IP Address and Port Number on Cisco vBond Orchestrator

The following is a sample output from the execution of the show orchestrator reverse-proxy-mapping command on a Cisco vBond Orchestrator. In the command output, the entries in the PROXY IP and PROXY PORT columns are the proxy IP address and port number. The entries in the PRIVATE IP and PRIVATE PORT columns are the private IP address and port number of the transport interface in VPN 0. 

vbond# show orchestrator reverse-proxy-mapping                                                                                          
                                                                                                                                         
                                                  PRIVATE             PROXY                                                              
UUID                                  PRIVATE IP  PORT     PROXY IP   PORT                                                               
-----------------------------------------------------------------------------                                                            
14c35ae4-69e3-41c5-a62f-725c839d25df  10.2.100.4  23456    10.2.1.10  23458                                                              
14c35ae4-69e3-41c5-a62f-725c839d25df  10.2.100.4  23556    10.2.1.10  23558                                                              
6c63e80a-8175-47de-a455-53a127ee70bd  10.2.100.6  23456    10.2.1.10  23457                                                              
6c63e80a-8175-47de-a455-53a127ee70bd  10.2.100.6  23556    10.2.1.10  23557                                                              
6c63e80a-8175-47de-a455-53a127ee70bd  10.2.100.6  23656    10.2.1.10  23657                                                              
6c63e80a-8175-47de-a455-53a127ee70bd  10.2.100.6  23756    10.2.1.10  23757                                                              
6c63e80a-8175-47de-a455-53a127ee70bd  10.2.100.6  23856    10.2.1.10  23857                                                              
6c63e80a-8175-47de-a455-53a127ee70bd  10.2.100.6  23956    10.2.1.10  23957                                                              
6c63e80a-8175-47de-a455-53a127ee70bd  10.2.100.6  24056    10.2.1.10  24057                                                              
6c63e80a-8175-47de-a455-53a127ee70bd  10.2.100.6  24156    10.2.1.10  24157                                                              
                                                                                                                                         
vbond#
Example: View Mapping of SD-WAN Controller Private IP Address and Port Number to Proxy IP Address and Port Number on a WAN Edge Device

The following is a sample output from the execution of the show sdwan control connections command on a Cisco IOS XE SD-WAN device. In the command output, check the entry in the PROXY column for a Cisco vManage instance or a Cisco vSmart Controller. If the entry is Yes, the entries in the PEER PUBLIC IP and PEER PUBLIC PORT are the proxy IP address and port number. 

Device# show sdwan control connections                                                                                               
                                                             PEER              PEER                                  CONTROLLER                                                                                     
PEER    PEER PEER            SITE       DOMAIN PEER          PRIV  PEER        PUB                                   GROUP                                                                                          
TYPE    PROT SYSTEM IP       ID         ID     PRIVATE IP    PORT  PUBLIC IP   PORT  ORGANIZATION    LOCAL COLOR     PROXY STATE UPTIME      ID                                                                     
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------                                                                                          
vsmart  tls  172.16.1.4         1          1      10.2.100.4    23558 10.2.1.10   23558 EXAMPLE-ORG     biz-internet    Yes   up     52:08:44:25 0                                                                     
vbond   dtls 0.0.0.0         0          0      10.1.1.2      12346 10.1.1.2    12346 EXAMPLE-ORG     biz-internet    -     up     52:08:50:47 0                                                                     
vmanage tls  172.16.1.6         1          0      10.2.100.6    23957 10.2.1.10   23957 EXAMPLE-ORG     biz-internet    Yes   up     66:03:04:50 0                                                                     
                                                                                                                                         
                                                                                                                                         
Device#

On a Cisco vEdge device, you can obtain a similar output by executing the command show control connections .

Example: View Signed Certificate Installed on a WAN Edge Device for Authentication with Reverse Proxy

The following is a sample output from the execution of the show sdwan certificate reverse-proxy command on a Cisco IOS XE SD-WAN device. 

Device# show sdwan certificate reverse-proxy                                                                                         
Reverse proxy certificate                                                                                                                
------------------                                                                                                                       
                                                                                                                                         
Certificate:                                                                                                                             
    Data:                                                                                                                                
        Version: 1 (0x0)                                                                                                                 
        Serial Number: 1 (0x1)                                                                                                           
        Signature Algorithm: sha256WithRSAEncryption                                                                                     
        Issuer: C = US, CN = 6c63e80a-8175-47de-a455-53a127ee70bd, O = Viptela                                                           
        Validity                                                                                                                         
            Not Before: Jun  2 19:31:08 2021 GMT                                                                                         
            Not After : May 27 19:31:08 2051 GMT                                                                                         
        Subject: C = US, ST = California, CN = C8K-9AE4A5A8-4EB0-E6C1-1761-6E54E4985F78, O = ViptelaClient                               
        Subject Public Key Info:                                                                                                         
            Public Key Algorithm: rsaEncryption                                                                                          
                RSA Public-Key: (2048 bit)                                                                                               
                Modulus:                                                                                                                 
                    00:e2:45:49:53:3a:56:d4:b8:70:59:90:01:fb:b1:                                                                        
                    44:e3:73:17:97:a3:e9:b7:55:44:d4:2d:dd:13:4a:                                                                        
                    a8:ef:78:14:9d:bd:b5:69:de:c9:31:29:bd:8e:57:                                                                        
                    09:f2:02:f8:3d:1d:1e:cb:a3:2e:94:c7:2e:61:ea:                                                                        
                    e9:94:3b:28:8d:f7:06:12:56:f3:24:56:8c:4a:e7:                                                                        
                    01:b1:2b:1b:cd:85:4f:8d:34:78:78:a1:26:17:2b:                                                                        
                    a5:1b:2a:b6:dd:50:51:f8:2b:13:93:cd:a6:fd:f8:                                                                        
                    71:95:c4:db:fc:a7:83:05:23:68:61:15:05:cc:aa:                                                                        
                    60:af:09:ef:3e:ce:70:4d:dd:50:84:3c:9a:57:ce:                                                                        
                    cb:15:84:3e:cd:b2:b6:30:ab:86:68:17:94:fa:9c:                                                                        
                    1a:ab:28:96:68:8c:ef:c8:f7:00:8a:7a:01:ca:58:                                                                        
                    84:b0:87:af:9a:f6:13:0f:aa:42:db:8b:cc:6e:ba:                                                                        
                    c8:c1:48:d2:f4:d8:08:b1:b5:15:ca:36:80:98:47:                                                                        
                    32:3a:df:54:35:fe:75:32:23:9f:b5:ed:65:41:99:                                                                        
                    50:b9:0f:7a:a2:10:59:12:d8:3e:45:78:cb:dc:2a:                                                                        
                    95:f2:72:02:1a:a6:75:06:87:52:4d:01:17:f2:62:                                                                        
                    8c:40:ad:29:e4:75:17:04:65:a9:b9:6a:dd:30:95:                                                                        
                    34:9b                                                                                                                
                Exponent: 65537 (0x10001)                                                                                                
    Signature Algorithm: sha256WithRSAEncryption                                                                                         
         99:40:af:23:bb:cf:7d:59:e9:a5:83:78:37:02:76:83:79:02:                                                                          
         b3:5c:56:e8:c3:aa:fc:78:ef:07:23:f8:14:19:9c:a4:5d:88:                                                                          
         07:4d:6e:b8:0d:b5:af:fa:5c:f9:55:d0:60:94:d9:24:99:5e:
         33:06:83:03:c3:73:c1:38:48:45:ba:6a:35:e6:e1:51:0e:92:                                                                          
         c3:a2:4a:a2:e1:2b:da:cd:0c:c3:17:ef:35:52:e1:6a:23:20:                                                                          
         af:99:95:a2:cb:99:a7:94:03:f3:78:99:bc:76:a3:0f:de:04:                                                                          
         7d:35:e1:dc:4d:47:79:f4:c8:4c:19:df:80:4c:4f:15:ab:f1:                                                                          
         61:a2:78:7a:2b:6e:98:f6:7b:8f:d6:55:44:16:79:e3:cd:51:                                                                          
         0e:27:fc:e6:4c:ff:bb:8f:2d:b0:ee:ed:98:63:e9:c9:cf:5f:                                                                          
         d7:b1:dd:7b:19:32:22:94:77:d5:bc:51:85:65:f3:e0:93:c7:                                                                          
         3c:79:fc:34:c7:9f:40:dc:b1:fc:6c:e5:3d:af:2d:77:b7:c3:                                                                          
         88:b3:89:7c:a6:1f:56:35:3b:35:66:0c:c8:05:b5:28:0b:98:                                                                          
         19:c7:b0:8e:dc:b7:3f:9d:c1:bb:69:f0:7d:20:95:b5:d1:f0:                                                                          
         06:35:b7:c4:64:ba:c4:95:31:4a:97:03:0f:04:54:6d:cb:50:                                                                          
         2f:31:02:59                                                                                                                     
                                                                                                                                         
Device#

On a Cisco vEdge device, you can obtain a similar output by executing the command show certificate reverse-proxy .

Was this Document Helpful?

FeedbackFeedback

Contact Cisco