Cisco Viptela: Web and Controller Certificates

Today we are going to talk about the certificates in the Cisco Viptela SDWAN for controller. There are 2 types of certificates used in SDWAN solution and these certificates are controller certificates & web server certificate.

Web Certificate
Web certificate is generally used for web access to the vManage. Cisco installs a self-signed certificate by default. In most of the cases customer uses their own web server certificate. This is especially for cases, where customer enterprise may have firewalls with web access restrictions. Cisco does not provide a public CA issued web certificates

Controller certificates
As we have three types of controller in Cisco Viptela SDWAN environment, you should need controller certificate to build control connections between the controllers. While vEdges get self-signed certificates from the vManage. 

Note that these certificates are critical to upholding the entire SDWAN fabric and must be kept valid at all times.

When the Cisco Viptela SDWAN controller certificates are renewed and installed, the control plane would flap for a moment, however, there should be no impact to the data plane. The certificate installation takes only a few minutes.

Step 1: Login to the vManage portal with your username and password 

Fig 1.1- Viptela Login Screen

Step 2: Check the controller certificate authorization, there are 4 options which include 
  • Cisco Automated (Recommended)
  • Symantec Automated
  • Manual
  • Enterprise Root Certificate
To check, navigate to 
vManage > Administration > Settings > Controller Certificate Authorization

Fig 1.1- Cisco Viptela Certificate Authorization

Here, in our case we are using with Symantec Automated for automated certificate retrieval and installation.

Step 3Generate CSRs (Certificate Signing Requests) from the vManage screen for all the controllers. Below is to navigate to generate CSR for the controllers. Make sure you need to generate for all the controllers one by one. 

vManage > Configuration (gear icon) > Certificates > Controllers > Options (3 dots) > Generate CSR

Step 4: Once you generate CSR, vManage will throw a popup notification showing it has successfully submitted the CSR. 

However, If you see such an issue, you can copy the CSR from the Vmanage, and submit a request directly at Symantec/DigiCert at:

If you want to submit the request on the Symantec Portal directly, you need to follow the below steps

Step 1: Select Private SSL > Order Now 

Step 2: Enter first name, last name, email address

Step 3: Paste the CSR text

Step 4: The Common name field will be auto populated

Step 5: Leave the fields at default for Intermediate Chains, Signature Hash & Server Platform

Step 6: Paste the Organization name from vManage in the Organization Units field

Step 7: Leave the Auto-renew field as unchecked

Step 8: Leave the other fields at default. No need to add anything else.

Step 9: Check on I agree & Submit