Cisco SDWAN Viptela - Everything you Wanted to Know About Certificates Deployment, But Were Afraid to Ask

Cisco SDWAN Viptela - Everything you Wanted to Know About Certificates Deployment, But Were Afraid to Ask

By Rajiv Yadav

Hi All,

Many Engineers are confused about the certificates which need to be signed by the Root CA.  This blog post talks about how to complete this task during the initial setup phase of the Viptela fabric.

Let’s get started.

Once the controllers are deployed either on-premises or on the cloud, we need to ensure we have the basic IP reachability between the controllers to form the DTLS/TLS connections.

After your controllers are ready, add the vBond and vSmart controllers into your vManage. This can be easily done from the vManage dashboard.  Now comes the tricky part [Not exactly tricky but it's just that we are not aware of it :)]

As we access the vManage dashboard and see the controllers present, we see the operation state as N/A and certificate serial says "No Certificate Installed" 

Now What????!!!!!!

When we are done adding the controllers, we need to ensure the controllers can successfully form control connections between themselves and the edge routers.  We also need to get a signed certificate installed on them. This signed certificate will be used for two-way authentication along with other parameters, so the controllers trust one another and form the control connections.

The following 5 different options are available:

  1. Automated Third-Party Certificate Signing Through Symantec/DigiCert.
  2. Manual Third-Party Certificate Signing Through Symantec/DigiCert
  3. Automated Certificate Signing Through Cisco Systems
  4. Manual Certificate Signing Through Cisco Systems
  5. Enterprise Root Certificate Authority (CA)

Option 1: Automated Third-Party Certificate Signing by Symantec/DigiCert.

We can use Symantec/DigiCert as the Root CA and generate a CSR request for the controllers/edge routers. This can be submitted to Cisco by opening a Cisco TAC and selecting the appropriate options.

vManage will check for the certs at the configured time interval and will install them automatically once the request is approved and certs are signed. In the screenshot below, the time interval is set to 60 mins.

Note - In this method, vManage requires reachability to the Symantec server.

Option 2: Manual Third-Party Certificate Signing Through Symantec/DigiCert

This option is like the first, except we need to manually upload the CSR on the Symantec portal. The user still needs to open a Cisco TAC and provide the details. The certificates will then be sent as an attachment to the email address provided in the contact information and they can be either copy-pasted or uploaded.

Option 3: Automated Certificate Signing Through Cisco Systems

If the user has a Cisco Smart account, this option is the quickest and most automated method to get the cert signed by Cisco.  All that needs to be done is to provide the Smart account credentials in the vManage dashboard, go to controllers, and generate the CSR request. The CSR will be directly sent to Cisco and signed after approval. vManage will look for the signed certs on the regular interval configured by the user and once available, will be installed on the respective controllers.

Note - In this method, vManage requires reachability to the Cisco PnP server.

Option 4: Manual Certificate Signing Through Cisco Systems

You can also get the certificate signed from Cisco via your Smart account manually if vManage is isolated from the Internet and not reachable to the Cisco PnP server. To do this, the user must generate the CSR request and paste the content of the CSR on the PnP portal under Certificates > Generate Certificate tab. Once the content is pasted, provide the appropriate name/validity/description and click submit. Download the signed certificate and install it back on the vManage controller.

Option 5: Enterprise Root Certificate Authority (CA)

Users can also get the certificate signed by the internal Root CA if they have one. To use this option, you must first install the Enterprise Root CA chain (.pem) file on vManage and set the CSR properties manually on the vManage controller. This Root CA Chain will be automatically distributed by vManage to other controllers on the fabric.

Once you have installed the Root CA chain on the vManage controller, you can simply generate the CSR request for the controllers/edges, get it signed by your Root CA and install it back on the controller as you normally would.

In my next blog post, I show you how to get the serial.viptela whitelist for your Network.


Happy Blogging!!!!

Cheers!

Regards,

Rajiv Yadav