Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

Install Signed Certificates on vEdge Cloud Routers

When a vEdge Cloud router virtual machine (VM) instance starts, it has a factory-default configuration, which allows the router to boot. However, the router is unable to join the overlay network. For the router to be able to join the overlay network, you must install a signed certificate on the router. The signed certificates are generated based on the router's serial number, and they are used to authorize the router to participate in the overlay network.

In Releases 17.1 and later, the vManage NMS can act as a Certificate Authority (CA), and in this role it can automatically generate and install signed certificates on vEdge Cloud routers. You can also use another CA and then install the signed certificate manually. In Releases 16.3 and earlier, you manually install signed Symantec certificates on vEdge Cloud routers.

To install signed certificates:

  1. Retrieve the vEdge authorized serial number file. This file contains the serial numbers of all the vEdge routers that are allowed to join the overlay network.
  2. Upload the vEdge authorized serial number file to vManage NMS.
  3. Install a signed certificate on each vEdge Cloud router.

Retrieve vEdge Authorized Serial Number File

  1. Go to http://viptela.com/support/ and log in to Viptela Support.
  2. Click Downloads.
  3. Click My Serial Number Files. The screen displays the serial number files. For Releases 17.1 and later, the filename extension is .viptela. For Releases 16.3 and earlier, the filename extension is .txt.
  4. Click the most recent serial number file to download it.

Upload vEdge Authorized Serial Number File

  1. In vManage NMS, select the Configuration ► Devices screen.
  2. In the vEdge List tab, click Upload vEdge List.
  3. In the Upload vEdge window:
    1. Click Choose File, and select the vEdge authorized serial number file you downloaded from the Viptela Support website.
    2. To automatically validate the vEdge routers and send their serial numbers to the controllers, click and select the checkbox Validate the Uploaded vEdge List and Send to Controllers. If you do not select this option, you must individually validate each router in the Configuration ► Certificates ► vEdge List screen.
  4. Click Upload.

During the process of uploading the vEdge authorized serial number file, the vManage NMS generates a token for each vEdge Cloud router listed in the file. This token is used as a one-time password for the router. The vManage NMS sends the token to the vBond orchestrator and the vSmart controller.

After the vEdge authorized serial number file has been uploaded, a list of vEdge routers in the network is displayed in the vEdge Routers Table in the Configuration ► Devices screen, with details about each router, including the router's chassis number and its token.

Install Signed Certificates in Releases 17.1 and Later

In Releases 17.1 and later, to install a signed certificates on a vEdge Cloud router, you first generate and download a bootstrap configuration file for the router. This file contains all the information necessary to allow the vManage NMS to generate a signed certificate for the vEdge Cloud router. You then copy the contents of this file into the configuration for the router's VM instance. For this method to work, the router and the vManage NMS must both be running Release 17.1 or later. Finally, you download the signed certificate to the router. You can configure the vManage NMS to do this automatically or manually.

The bootstrap configuration file contains the following information:

  • UUID, which is used as the router's chassis number.
  • Token, which is a randomly generated one-time password that the router uses to authenticate itself with the vBond orchestrator and the vManage NMS.
  • IP address or DNS name of the vBond orchestrator.
  • Organization name.
  • If you have already created a device configuration template and attached it to the vEdge Cloud router, the bootstrap configuration file contains this configuration. For information about creating and attaching a configuration template, see Create Configuration Templates for a vEdge Router.

You can generate a bootstrap configuration file that contains information for an individual router or for multiple routers.

In Releases 17.1 and later, you can also have Symantec generate signed certificates that you install manually on each router, as described later in this article, but this method is not recommended.

Configure the vBond Orchestrator and Organization Name

Before you can generate a bootstrap configuration file, you must configure the vBond orchestrator DNS name or address and your organization name:

  1. In vManage NMS, select the Administration ► Settings screen.
  2. In the vBond bar, click Edit.
  3. In the vBond DNS/IP Address: Port field, enter the DNS name or IP address of the vBond orchestrator.
  4. Click Save.
  5. In the Organization Name bar, click Edit.
  6. In the Organization Name field, enter the name of your organization. This name must be identical to that configured on the vBond orchestrator.
  7. In the Confirm Organization name field, re-enter and confirm the organization name.
  8. Click Save.

Configure Automatic or Manual vEdge Cloud Authorization

Signed certificates must be installed on each vEdge cloud router so that the router is authorized to participate in the overlay network. You can use the vManage NMS as the CA to generate and install the signed certificate, or you can use an enterprise CA to install the signed certificate.

It is recommended that you use the vManage NMS as a CA. In this role, the vManage NMS automatically generates and installs a signed certificate on the vEdge Cloud router. Having the vManage NMS act as a CA is the default setting. You can view this setting in the vManage Administration ► Settings screen, in the vEdge Cloud Certificate Authorization bar.

To use an enterprise CA for generating signed certificates for vEdge Cloud routers:

  1. In vManage NMS, select the Administration ► Settings screen.
  2. In the vEdge Cloud Certificate Authorization bar, select Manual.
  3. Click Save.

Generate a Bootstrap Configuration File

To generate a bootstrap configuration file for a vEdge Cloud router:

  1. In vManage NMS, select the Configuration ► Devices screen.
  2. To generate a bootstrap configuration file for one or multiple vEdge Cloud routers:
    1. In the vEdge List tab, select Export Bootstrap Configuration.
    2. In the Generate Bootstrap Configuration field, select the file format:
      • For a vEdge Cloud router on a KVM hypervisor or on an AWS server, select Cloud-Init to generate a token, vBond orchestrator IP address, vEdge Cloud router UUID, and organization name.
      • For a vEdge Cloud router on a VMware hypervisor, select Encoded String to generate an encoded string.
    3. In the Available Devices window, select one or more routers.
    4. Click Generate Configuration. The bootstrap configuration is downloaded in a .zip file, which contains one .cfg file for each router.
  3. To generate a bootstrap configuration file individually for each vEdge Cloud router:
  1. In the vEdge List tab, select the desired vEdge Cloud router.
  2. Click the More Actions icon to the right of the row, and select Generate Bootstrap Configuration.
  3. In the Generate Bootstrap Configuration window, select the file format:
    • For a vEdge Cloud router on a KVM hypervisor or on an AWS server, select Cloud-Init to generate a token, vBond orchestrator IP address, vEdge Cloud router UUID, and organization name.
    • For a vEdge Cloud router on a VMware hypervisor, select Encoded String to generate an encoded string.
  4. Click Download to download the bootstrap configuration. The bootstrap configuration is downloaded in a .cfg file.

Then use the contents of the bootstrap configuration file to configure the vEdge Cloud router instance in AWS, ESXi, or KVM. For example, to configure a router instance in AWS, paste the text of the Cloud-Init configuration into the User data field:

By default, the ge0/0 interface is the router's tunnel interface, and it is configured as a DHCP client. To use a different interface or to use a static IP address, and if you did not attach a device configuration template to the router, change the vEdge Cloud router's configuration from the CLI. See Configuring Network Interfaces.

Install the Certificate on the vEdge Cloud Router

If you are using automated vEdge Cloud certificate authorization, which is the default, after you configure the vEdge Cloud router instance, vManage NMS automatically installs a certificate on the router and the router's token changes to its serial number. You can display the router's serial number in the Configuration ► Devices screen. After the router's control connections to the vManage NMS come up, any templates attached to the router are automatically pushed to the router.

If you are using manual vEdge Cloud certificate authorization, after you configure the vEdge Cloud router instance, follow this procedure to install a certificate on the router:

  1. Install the enterprise root certificate chain on the router:
    vEdge# request root-cert-chain install filename [vpn vpn-id]
    Then, the vManage NMS generates a CSR.
  2. Download the CSR:
    1. in vManage NMS, select the Configuration ► Certificates screen.
    2. Select the vEdge Cloud router for which to sign a certificate.
    3. Click the More Actions icon to the right of the row and select View CSR.
    4. To download the CSR, click Download.
  3. Send the certificate to a third-party signing authority, to have them sign it.
  4. Import the certificate into the device:
    1. In the Configuration ► Certificates screen, click the Controllers tab.
    2. Click the Install Certificate button located in the upper-right corner of the screen.
    3. In the Install Certificate screen, paste the certificate into the Certificate Text field, or click Select a File to upload the certificate in a file.
    4. Click Install.
  5. Issue the following REST API call, specifying the IP address of your vManage NMS:
    https://vmanage-ip-address/dataservice/system/device/sync/rootcertchain

Create the vEdge Cloud Router Bootstrap Configuration from the CLI

It is recommended that you generate the vEdge Cloud router's bootstrap configuration using the vManage NMS If, for some reason, you do not want to do this, you can create the bootstrap configuration using the CLI. With this process, you must still, however, use the vManage NMS. You collect some of this information for the bootstrap configuration from the vManage NMS, and after you have created the bootstrap configuration, you use the vManage NMS to install the signed certificate on the router.

Installing signed certificates by creating a bootstrap configuration from the CLI is a three-step process:

  1. Edit the router's configuration file to add the DNS name or IP address of the vBond orchestrator and your organization name.
  2. Send the router's chassis and token numbers to the vManage NMS.
  3. Have the vManage NMS authenticate the vEdge Cloud router and install the signed certificate on the router.

To edit the vEdge Cloud router's configuration file from the CLI:

  1. Open a CLI session to the vEdge Cloud router via SSH. To do this in vManage NMS, select the Tools ► SSH Terminal screen, and select the desired router.
  2. Log in as the user admin, using the default password, admin. The CLI prompt is displayed.
  3. Enter configuration mode:
    vEdge# config
    vEdge(config)#
  4. Configure the IP address of the vBond orchestrator or a DNS name that points to the vBond orchestrator. The vBond orchestrator's IP address must be a public IP address:
    vEdge(config)# system vbond (dns-name | ip-address)
  5. Configure the organization name:
    vEdge(config-system)# organization-name name
  6. Commit the configuration:
    vEdge(config)# commit and-quit
    vEdge#

To send the vEdge Cloud router's chassis and token numbers to the vManage NMS:

  1. Locate the vEdge Cloud router's token and chassis number:
    1. In vManage NMS, select the Configuration ► Devices screen.
    2. In the vEdge List tab, locate the vEdge Cloud router.
    3. Make a note of the values in the vEdge Cloud router's Serial No./Token and Chassis Number columns.
  2. Send the router's bootstrap configuration information to the vManage NMS:

vEdge# request vedge-cloud activate chassis-number chassis-number token token-number

Issue the show control local-properties command on the router to verify the vBond IP address, the organization name the chassis number, and the token. You can also verify whether the certificate is valid.

Finally, have the vManage NMS authenticate the vEdge Cloud router and install the signed certificate on the router.

If you are using automated vEdge Cloud certificate authorization, which is the default, the vManage NMS uses the chassis and token numbers to authenticate the router. Then, the vManage NMS automatically installs a certificate on the router and the router's token changes to a serial number. You can display the router's serial number in the Configuration ► Devices screen. After the router's control connections to the vManage NMS come up, any templates attached to the router are automatically pushed to the router.

If you are using manual vEdge Cloud certificate authorization, after you configure the vEdge Cloud router instance, follow this procedure to install a certificate on the router:

  1. Install the enterprise root certificate chain on the router:
    vEdge# request root-cert-chain install filename [vpn vpn-id]
    After you install the root chain certificate on the router, and after the vManage NMS receives the chassis and token numbers, the vManage NMS generates a CSR.
  2. Download the CSR:
    1. in vManage NMS, select the Configuration ► Certificates screen.
    2. Select the vEdge Cloud router for which to sign a certificate.
    3. Click the More Actions icon to the right of the row and select View CSR.
    4. To download the CSR, click Download.
  3. Send the certificate to a third-party signing authority, to have them sign it.
  4. Import the certificate into the device:
    1. In the Configuration ► Certificates screen, click the Controllers tab.
    2. Click the Install Certificate button located in the upper-right corner of the screen.
    3. In the Install Certificate screen, paste the certificate into the Certificate Text field, or click Select a File to upload the certificate in a file.
    4. Click Install.
  5. Issue the following REST API call, specifying the IP address of your vManage NMS:
    https://vmanage-ip-address/dataservice/system/device/sync/rootcertchain

Install Signed Certificates in Releases 16.3 and Earlier

For vEdge Cloud router virtual machine (VM) instances running Releases 16.3 and earlier, when the vEdge Cloud router VM starts, it has a factory-default configuration, but is unable to join the overlay network because no signed certificate is installed. You must install a signed Symantec certificate on the vEdge Cloud router so that it can participate in the overlay network.

To generate a certificate signing request (CSR) and install the signed certificate on the vEdge Cloud router:

  1. Log in to the vEdge Cloud router as the user admin, using the default password, admin. If the vEdge Cloud router is provided through AWS, use your AWS key pair to log in. The CLI prompt is displayed.
  2. Generate a CSR for the vEdge Cloud router:
    vEdge# request csr upload path
    path is the full path and filename where you want to upload the CSR. The path can be in a directory on the local device or on a remote device reachable through FTP, HTTP, SCP, or TFTP. If you are using SCP, you are prompted for the directory name and filename; no file path name is provided.
    When prompted, enter and then confirm your organization name.
    For example:
    vEdge# request csr upload home/admin/vm9.csr
    Uploading CSR via VPN 0
    Enter organization name            : Viptela, Inc.
    Re-enter organization name         : Viptela, Inc.
    Generating CSR for this vEdge device
    ........[DONE]
    Copying ... /home/admin/vm9.csr via VPN 0
    CSR upload successful
  3. Log in to the Symantec Certificate Enrollment portal:
    https://certmanager.<wbr/>websecurity.symantec.com/<wbr/>mcelp/enroll/index?jur_hash=<wbr/>f422d7ceb508a24e32ea7de4f78d37<wbr/>f8
    ​The Viptela SSL Certificate Portal screen is displayed.

  1. In the Select Certificate Type drop-down, select Standard Intranet SSL and click Go. The Certificate Enrollment screen is displayed. Viptela uses the information you provide on this form to confirm the identity of the certificate requestor and to approve your certificate request. To complete the Certificate Enrollment form:
    1. In the Your Contact Information section, specify the First Name, Last Name, and Email Address of the requestor.
    2. In the Server Platform and Certificate Signing section, select Apache from the Select Server Platform drop-down. In the Enter Certificate Signing Request (CSR) box, upload the generated CSR file, or copy and paste the contents of the CSR file. (For details about how to do this, log in to support.viptela.com. Click Certificate, and read the Symantec certificate instructions.)
    3. In the Certificate Options section, enter the validity period for the certificate.

    4. In the Challenge Phrase section, enter and then re-enter a challenge phrase. You use the challenge phrase to renew, and, if necessary, to revoke a certificate on the Symantec Customer Portal. It is recommended that you specify a different challenge phrase for each CSR.

    5. Accept the Subscriber Agreement. The system generates a confirmation message and sends an email to the requestor confirming the certificate request. It also sends an email to the Viptela Customer Support team asking them to approve the CSR.

  2. After Viptela approves the CSR, Symantec sends the signed certificate to the requestor. The signed certificate is also available through the Symantec Enrollment portal.

  3. Install the certificate on the vEdge Cloud router:
    vEdge# request certificate install filename [vpn vpn-id]
    The file can be in your home directory on the local device, or it can be on a remote device reachable through FTP, HTTP, SCP, or TFTP. If you are using SCP, you are prompted for the directory name and filename; no file path name is provided.

  4. Verify that the certificate is installed and valid:

    vEdge# show certificate validity

After you have installed the certificate on the vEdge Cloud router, the vBond orchestator is able to validate and authenticate the router, and the router is able to join the overlay network.

  • Was this article helpful?