Understand the Web Certificate For vManage

Available Languages

Download Options

  • PDF     (155.7 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (234.4 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (177.4 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:September 30, 2021
Document ID:217426

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the difference between the Web Certificate and the Controller Certificates on the Cisco SD-WAN solution. This document also explains in detail the Web Certificate and clarifies the use between these two types of certificates.

    Prerequisites

    Requirements

    Basic knowledge of Public Key Infrastructure (PKI).

    Components Used

    • Cisco vManage network management system (NMS) version 20.4.1
    • Google Chrome version 94.0

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Certificates Used on Cisco SD-WAN

    There are two types of certificates used in  Cisco SD-WAN solutions, Controller Certificates & Web Certificates.


    Web Certificate

    Used for web access to the vManage. Cisco installs a self-signed certificate by default. A Self-signed certificate is a Secure Sockets Layer (SSL) certificate that is signed by its own creator.

    However, Cisco recommends their own web server certificate. This is especially for cases, where network enterprises can have firewalls with web access restrictions.
    Cisco does not provide public web certificates issued by  Certificate Authority (CA).

    For more information on how to generate the vManage Web certificate, please refer to the guides: Generate Web Server Certificate and  How To Generate Self-Signed Web Certificate For vManage


    Controller Certificate

    Used to build control connections between the controllers i.e. vManage, vBonds, vSmarts.

    Note that these certificates are critical for the entire SDWAN fabric control plane and must be kept valid at all times.

    For more controller certificates information, please refer to the guide: Automated certificate signing through Cisco Systems

    Understand Web Certificate for vManage

    Hypertext Transfer Protocol Secure (HTTPS) is an internet communication protocol that protects the integrity and confidentiality of data between the user's computer and the website in this case the vManage GUI. Users expect a secure and private connection when they access the vManage.

    To achieve a secure and private connection,  you must obtain a security certificate. The certificate is issued by a certificate authority (CA), which takes steps to verify that your vManage domain actually belongs to your organization.

    When a user accesses the vManage, the user PC performs an HTTPS connection and a secure tunnel is established between the vManage server and the computer with the SSL certificates installed for authentication. The authentication of the SSL certificate is performed on the user computer against the database of valid root CAs installed on the device. Usually, the computer has already installed multiples CA like, Google, GoDaddy, Enterprise CA (if this is the case), and more public entities. Therefore, if the Certificate Signing Request (CSR) is signed by Goddady (just an example) it is trusted.

    "Connection Is Not private" Message on vManage

    The vManage self-signed certificate is not signed by a CA. It has been signed by the same vManage and neither by the public nor private CA, therefore it is not trusted for a PC client. That is the reason, the browser displays a not secure/privacy error connection for the vManage URL.

    Example for the vMange error with the default self-signed certificate by the Google Chrome browser as shown in the image.

    Unsafe connection

    Note: Click on the view site information option, the certificate is displayed as invalid.

    Invalid cert

    Proactive information

    Certificate Registered to the Incorrect Website Name

    Ensure that the web certificate has been obtained for all hostnames that your site serves. For example, if your certificate only covers fictional domain www.vManage-example-test.com, a visitor who loads the site with the vManage-example-test.com (without the www. prefix),  and if it gets a signed certificate by a Public CA, it is trusted but it gets another error with a certificate name mismatch error.

    Note:  A common name mismatch error occurs when the common name of the SSL/TLS Certificate does not match the domain or address bar in the browser.

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    30-Sep-2021
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Amanda Nava Zarate
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products