Automated certificate management
Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.18.1a and Cisco Catalyst SD-WAN Manager Release 20.18.1
An automated certificate management on Cisco SD-WAN Manager:
-
uses protocols such as EST and SCEP to automate certificate enrollment and renewal for WAN edge devices, and
-
introduces enterprise certificate settings to unify certificate management across controller components, hardware WAN edges, and cloud WAN edges.
In Cisco SD-WAN Manager automatic renewal of certificates using SCEP and EST configurations occurs only during the initial device onboarding or when migrating from a hardware SUDI certificate to an enterprise certificate. For subsequent renewals, manual intervention is required to initiate the process when a certificate expiry alarm is triggered in Cisco SD-WAN Manager. Once renewal is manually initiated, the system automatically manages the enrollment and installation of the new certificates. For more information, see Control Components Certificate Management workflow.
Certificate management with Cisco SD-WAN Manager as a fabric client
Cisco SD-WAN Manager functions as a fabric client that:
-
supports SCEP and EST protocols to facilitate certificate enrollment and renewal for devices,
-
enables independent certificate management on Cisco SD-WAN control components and WAN edge devices, and
-
enhances network security and operational flexibility.
Prerequisites for automated certificate management on CA servers
Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.18.1a and Cisco Catalyst SD-WAN Manager Release 20.18.1
VPN reachability
Based on the chosen VPN (0 or 512), ensure that a route to the CA server is added, or that the CA server is reachable from the selected VPN.
Encryption algorithm
For Cisco SD-WAN Controllers, to renew certificates by configuring SCEP, the CA server should support encryption algorithm higher than triple DES.
Key size
Ensure that the minimum key size for certificates is 2048 bits or higher in CA servers.
EST configurations
-
Ensure that Cisco SD-WAN Manager enrolls through the EST URL and EST is enabled on the CA. Any certificate requested from Cisco SD-WAN Manager may include custom Common Name (CN) and Organizational Unit (OU) values. The CA should be configured not to override these custom values.
-
Configure a username and password for EST enrollment if configured on CA server.
-
When configuring EST, you must provide the hostname or IP address that matches the digital certificate of the server. Cisco SD-WAN Manager uses hostname verification in EST client.
SCEP configurations
-
Allow SCEP protocol on the CA server.
-
Configure a default SCEP alias if required.
-
Enable enrollment through SCEP.
-
Set a higher requests-per-minute limit on the CA server to accommodate anticipated enrollment volume.
-
Ensure the minimum key size for certificates is 2048 bits or higher.
-
Use an encryption algorithm stronger than triple DES.
Configure certificate settings
Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.18.1a and Cisco Catalyst SD-WAN Manager Release 20.18.1
Procedure
Step 1 |
From the Cisco SD-WAN Manager menu, choose Administration>Settings |
Step 2 |
Choose Certificate settings. |
Step 3 |
Click Save. |
Troubleshoot certificate management on CA server
The following table provides troubleshooting information for certificate management on CA server.
Error type |
Error message |
Pausible root cause |
Troubleshooting steps |
---|---|---|---|
Internal server error |
|
The CA server responds with a 500 error. High CPU or memory usage on the CA server. |
|
Timeout error |
|
The API call to the CA server times out due to resource issues in CPU, memory, or enrollment rate limits on the CA server. |
Increase resource limits or enrollment rate on the CA server. |
Unauthorized Error |
|
|
|
EST Configuration Failure / Timeout |
Loss of OMP connection with controller. Sync of root-CA certificate failed on controllers. |
Failed Netconf, permission errors, or device/controller issues. |
Check logs for issues on devices/controllers. |