Certificate Management


Note


To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release 20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component brand name changes. While we transition to the new names, some inconsistencies might be present in the documentation set because of a phased approach to the user interface updates of the software product.


Web Server Certificates

Cisco does not issue web certificates for Cisco SD-WAN Manager. We recommend that you generate the Certificate Signing Request (CSR) and get it signed by your Certificate Authority (CA) for your Domain Name System (DNS) name. Then, you may either add an A entry in your DNS server for the IP, or a CNAME to the .viptela.net / .sdwan.cisco.com Cisco SD-WAN Manager DNS name.


Note


The controller certificates issued by Cisco are for the controllers to use internally. You cannot use these certificates to issue web server certificates.


For more information, see the Web Server Certificates section in the Cisco Catalyst SD-WAN Getting Started Guide.

Renew Cisco Catalyst SD-WAN SSL Certificates for Controllers

Signed certificates are used to authenticate devices in the overlay network. After being authenticated, devices can establish secure sessions between each other.


Note


The certificate renewal process is applicable only if you have a dedicated single tenant or multi-tenant controller overlay. This process is not applicable if you have a shared tenant overlay.


You can generate the Certificate Signing Request (CSR) as well as install the signed certificates, using Cisco SD-WAN Manager. There are 3 options for Certificate Root CA:

  1. Cisco Root CA bundle (already present on controllers with software version 19.2.3 and above, Cisco Catalyst SD-WAN devices with software version 19.2.3 and above, Cisco IOS XE Catalyst SD-WAN devices with software versions 16.12.3+ or 16.10.4+ or 17.x+.

  2. Symantec/Digicert Root CA (already present on all controllers, Cisco Catalyst SD-WAN devices and Cisco IOS XE Catalyst SD-WAN devices).

  3. Your own Enterprise Root CA.


Note


Select the certificate-generation method only once. The method you select is automatically applied each time you add a device to the overlay network.


To renew the controller certificates, you need to follow the appropriate process based on your deployment type and certificate type:

  • The controller certification authorization settings configure the certification- generation process for all controller devices. For more information, see Cisco Catalyst SD-WAN Controller Certificates.

  • Note that since the certificate renewal involves an entire control plane flap, you are required to follow the instructions as per above, to renew the certificates, even for cloud hosted Cisco provisioned controllers.

  • The Cisco CloudOps team does not automatically renew the certificates for the customers.

  • On the Cisco SD-WAN Manager Settings page, there is an option for Symantec Automated or Cisco Automated where automated refers to automatic submission of CSRs and retrieval of certificates. The option does include automation of certain steps of the process, compared to the manual option. However, the step to trigger the generation of CSRs for each controller is still manual, to be done by you, to initiate the renewal process.

  • Note that the Cisco SD-WAN Manager Dashboard shows a warning 6 months in advance that the certificates are about to expire.

  • You can view the expiry date at any time at by choosing Configuration > Certificates > Controllers from the Cisco SD-WAN Manager menu.


    Note


    Starting from Cisco IOS XE Catalyst SD-WAN Release 17.13.1a, the Controllers tab is renamed as the Control Components tab to stay consistent with Cisco Catalyst SD-WAN rebranding.


  • The Cisco CloudOps team sends email notifications 30/15/5 day prior to expiry, to the registered email address contact for the overlay in your system as well.

  • You can open a case with us anytime to request the current registered email address or change it. We recommend that customers help keep the owner email address updated for all Cisco CloudOps notifications. We recommend keeping us updated with the customer contact email address for alert notifications, preferably a team mailer address instead of an individual user email address.

  • Also, we recommend being aware of the controller certificate expiry dates and plan for renewal atleast a 1 month before expiry.