[Cisco SDWAN] Controller Certificates Options - Practical Installation Steps

When deploying or maintaining your?SDWAN controllers, one problem often comes up how to register or renew your current controller certificates to ensure secure communication within the?Control plane.

In this post, let’s discuss and learn how to do it.

What is trust?

There are two kinds of trust in computing:?Direct trust?and?Third-party trust

If one entity trusts another entity, it is?Direct trust.

If two individuals trust each other because each trusts a third person or entity, this is?a?Third-Party trust.

Cisco SD-WAN work on the?Third-Party trust?model. Devices trust each other because they trust a common Root CA. The root CA commonly are well-known entities: Cisco, DigiCert,… or a trusted certificate generated by?vBond?or a local Root CA.

Some simple terms

First, let’s talk about some common terms: CSR and CRT, and CA

Stack Overflow,?CSR?stands for Certificate Signing Request. It is a request for a certificate authority to sign the key. The key itself is not included in the?.csr.

CRT keeps a signed certificate produced by the certificate authority that verifies the authenticity of the key. The key itself is not included in the?.crt.

Sometimes, you will see some .pem?files. It?just indicates that the content (can be a key, certificate,…) is Base64 encoded.

Certificate Authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate.?The CA verifies the identity of the requester and provides a public interface to verify a certificate’s authenticity.

The CA is responsible for signing the certificate (CSR) and providing it to the requester. The requester then installs the certificate on their device.?The trust relationship between the CA and the requester is established through a chain of trust.

The main goal of a CA is to verify the authenticity and trustworthiness of an entity, so another entity knows exactly who they’re communicating with and whether that entity can be trusted with their data.

Cisco Signed certificate

You can install certificates on on-premise Cisco SD-WAN controllers or in a Cisco-hosted or provider-hosted cloud solution.?The certificate renewal process is also covered in the documentation provided by Cisco.

With this option, you need to have a ROOT CA that is signed by Cisco. Obtain them at?Cisco PKI Index.

Choose the certificate validity period and enter your Smart Account credentials.

Click “Sync Root Certificate” to retrieve your registered Root Certificate.

Head to Devices > Controllers to add your Controllers.

When adding a controller, you tick to choose “Generate CSR and send to Certificate Authority for signing“

Cisco will automatically sign the request, and you will see the “CSR submitted for signing” message on Controllers.

This method may take a while for Cisco to process and need your controller to reach the internet. You can check the process on?Cisco Software?Central>?Plug and Play Connect > Certificates?portal at?https://software.cisco.com/#pnp-certificates

This is not suitable for enterprise development.

Use a custom certificate

Option1. Manual Cisco PKI certificate

This option requires vManage version 19.1 and above.

Go to Administration > Settings and change to?Manual.

Upload certificate request for each controller is made manually through the?Cisco Software?Central>?Plug and Play Connect > Certificates?portal and choose?Generate Certificate. Then, paste in the CSRs and choose the validity period for each device.

After waiting for Cisco to process, you can download all the .crt files for your controllers and be ready to install them to your Controllers.

Option2. Enterprise certificate

This option needs you to have a CA server. You can buy a certificate from a well-known entity like DigiCert, GlobalSign, or Verisign,.. or use any custom CA like me.

In this example, I will use OpenSSL to generate and sign custom certificates. You can install OpenSSL on any major Linux distro.

First, generate a ROOTCA.pem file. Remember to replace your Oganaination name, which in my case is “clayton.local”

$ openssl genrsa -out ROOTCA.key 2048

$ openssl req -x509 -new -nodes -key ROOTCA.key -sha256 -days 1024 -subj "/C=US/ST=NY/L=NY/O=clayton.local/CN=root.certificate" -out ROOTCA.pem

 $ ls
ROOTCA.key  ROOTCA.pem  archive_id_rsa.pub  master_root.crt  root_ca_uuid_list  vbond_csr
vBond:~$ ls -la        

Grab your ROOTCA.pem file. Go to Administration > Settings, change to?Enterprise Root Certificate,?and paste in the file content.

Head to Configuration > Certificate > Controllers. Click the “…” symbol and choose?Generate CSR?for each controller.

Transfer all of the .csr to the CA server

$ ls
ROOTCA.key ROOTCA.pem archive_id_rsa.pub master_root.crt root_ca_uuid_list vBond.csr vManage.csr vSmart.csr vbond_csr        

Sign all your .csr

$ openssl x509 -req -in vBond.csr -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial -out vBond.crt -days 500 -sha256

$ openssl x509 -req -in vSmart.csr -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial -out vSmart.crt -days 500 -sha256

vBond:~$ openssl x509 -req -in vManage.csr -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial -out vManage.crt -days 500 -sha256        

Download all your .crt files and process them to the next step.

Install Certificate

To begin this step, make sure you have all .crt files for all your controllers. If not, please continue getting all the .crt files

Head to Configuration > Certificate > Controllers. Choose each controller, and click the?Install Certificate?button.

Select to upload or paste in your .crt files.

Let’s check if our certificates would be all installed.

At this stage, all controllers should start to establish control connections with each other.

Conclusion

In this post, I hope that you- could have a basic understanding of SDWAN controller certificates, and you can start the next step of building your own SDWAN environment!

Get the Cisco SD-WAN Zero-to-One ebook