Web server certificates are not automatically issued for Cisco SD-WAN Manager. Generate the Certificate Signing Request (CSR) and get it signed by your Certificate Authority (CA) for your Domain Name System (DNS) name. For commercial deployments, add an A entry in your DNS server for the IP address, or add a CNAME to the .viptela.net or .sdwan.cisco.com Cisco SD-WAN Manager DNS name. For government deployments, use sdwangov.fedramp.cisco.

Note	Control component certificates are for internal control component use only. Use web server certificates for web server authentication.

Refer to Web Server Certificates in the Cisco Catalyst SD-WAN Getting Started Guide for more information.

Signed certificates authenticate devices in the fabric network. After devices are authenticated, they can establish secure sessions with each other.

Note	If you have a Cisco SD-WAN Cloud-Pro single tenant or multi-tenant control component fabric, use this certificate renewal process. Do not use this process for a shared-tenant fabric.

You can generate the Certificate Signing Request (CSR) and install the signed certificates using Cisco SD-WAN Manager. There are three options for Certificate Root CA:

• The Cisco Root CA bundle is present on control components with software version 19.2.3 and above, Cisco Catalyst SD-WAN devices with software version 19.2.3 and above, and Cisco IOS XE Catalyst SD-WAN devices with software versions 16.12.3+ or 16.10.4+ or 17.x+.

• The Symantec/Digicert Root CA is present on all control components, Cisco Catalyst SD-WAN devices and Cisco IOS XE Catalyst SD-WAN devices.

• Your own Enterprise Root CA.

Note	You select the certificate-generation method only once. The method you select is automatically applied each time you add a device to the fabric network.

To renew the control component certificates, use the appropriate process for your deployment type and certificate type.

The control component certification authorization settings determine how certificates are generated for control component devices. For more information, refer to Cisco Catalyst SD-WAN Control Component Certificates.

Because certificate renewal causes a control plane flap, always follow these certificate renewal instructions, even if you are using Cisco SD-WAN Cloud-Pro control components.

You must renew your certificates; the CloudOps team does not renew them for you. On the Cisco SD-WAN Manager Settings page, you can choose Symantec Automated or Cisco Automated. "Automated" refers to automatic submission of CSRs and retrieval of certificates. The option automates certain steps of the process, compared to the manual option. However, you must manually trigger the generation of CSRs for each control component to initiate the renewal process.

The Cisco SD-WAN Manager Dashboard displays a certificate expiration warning 6 months in advance. You can view the expiration date at any time at by choosing Configuration > Certificates > Controllers from the Cisco SD-WAN Manager menu.

Note	As of Cisco IOS XE Catalyst SD-WAN Release 17.13.1a, the Controllers tab is renamed as the Control Components tab to stay consistent with Cisco Catalyst SD-WAN rebranding.

The CloudOps team sends email notifications to the registered contact for your fabric 30 days, 15 days, and 5 days prior to expiration.

You can open a case to request or change the current registered email addresses. Keep the owner email address current for all CloudOps notifications, and keep the customer contact email address current for alerts. Use team addresses rather than individual user addresses if possible.

Check the control component certificate expiration dates and schedule the renewal at least one month before expiration.