Cisco Viptela: Web and Controller Certificates
Today we are going to talk about the certificates in the Cisco Viptela SDWAN for controller. There are 2 types of certificates used in SDWAN solution and these certificates are controller certificates & web server certificate.
Web Certificate
Web certificate is generally used for web access to the vManage. Cisco installs a self-signed certificate by default. In most of the cases customer uses their own web server certificate. This is especially for cases, where customer enterprise may have firewalls with web access restrictions. Cisco does not provide a public CA issued web certificates
Controller certificates
As we have three types of controller in Cisco Viptela SDWAN environment, you should need controller certificate to build control connections between the controllers. While vEdges get self-signed certificates from the vManage.
Note that these certificates are critical to upholding the entire SDWAN fabric and must be kept valid at all times.
When the Cisco Viptela SDWAN controller certificates are renewed and installed, the control plane would flap for a moment, however, there should be no impact to the data plane. The certificate installation takes only a few minutes.
Step 1: Login to the vManage portal with your username and password
 |
| Fig 1.1- Viptela Login Screen |
Step 2: Check the controller certificate authorization, there are 4 options which include
- Cisco Automated (Recommended)
- Symantec Automated
- Manual
- Enterprise Root Certificate
To check, navigate to
vManage > Administration > Settings > Controller Certificate Authorization
 |
| Fig 1.1- Cisco Viptela Certificate Authorization |
Here, in our case we are using with Symantec Automated for automated certificate retrieval and installation.
Step 3: Generate CSRs (Certificate Signing Requests) from the vManage screen for all the controllers. Below is to navigate to generate CSR for the controllers. Make sure you need to generate for all the controllers one by one.
vManage > Configuration (gear icon) > Certificates > Controllers > Options (3 dots) > Generate CSR
Step 4: Once you generate CSR, vManage will throw a popup notification showing it has successfully submitted the CSR.
However, If you see such an issue, you can copy the CSR from the Vmanage, and submit a request directly at Symantec/DigiCert at:
If you want to submit the request on the Symantec Portal directly, you need to follow the below steps
Step 1: Select Private SSL > Order Now
Step 2: Enter first name, last name, email address
Step 3: Paste the CSR text
Step 4: The Common name field will be auto populated
Step 5: Leave the fields at default for Intermediate Chains, Signature Hash & Server Platform
Step 6: Paste the Organization name from vManage in the Organization Units field
Step 7: Leave the Auto-renew field as unchecked
Step 8: Leave the other fields at default. No need to add anything else.
Step 9: Check on I agree & Submit
