Create certificates for FlexEdge Secure SD-WAN Engines using external certificate management

After creating an Secure SD-WAN Engine element, create a certificate request for each Secure SD-WAN Engine node, export and sign the certificate request using the external CA, then import the signed certificate.

Before you begin

Create an Secure SD-WAN Engine element. Follow the instructions in one of the following topics:
  • Configuring Single Engines
  • Configuring Engine Clusters
  • Configuring IPS engines
  • Configuring Layer 2 Engines
  • Master Secure SD-WAN Engine and Virtual Secure SD-WAN Engine configuration overview
    Note: Only Master Secure SD-WAN Engines communicate with the Management Server. It is not possible to configure certificate settings for Virtual Secure SD-WAN Engines.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. In the Management Client, edit the certificate settings for each Secure SD-WAN Engine node.
    1. Select Configuration.
    2. Right-click an engine, then select Edit <element type>.
    3. Open the certificate settings in one of the following ways:
      • For single Secure SD-WAN Engines, click Certificate Settings on the General tab of the Engine Editor.
      • For Secure SD-WAN Engine clusters, browse to General > Clustering, right-click the Certificate cell for a node, then select Edit Certificate.
    4. In the certificate request details, enter the following information:
      • Common Name (CN) — Enter a common name that includes the name of the Secure SD-WAN Engine element.

        Example: Helsinki Secure SD-WAN

      • Subject Alternative Name (DNS) — Enter the name of the Secure SD-WAN Engine node as a fully qualified domain name (FQDN).

        Examples:

        Helsinki-Secure SD-WAN.example.com

        Helsinki-Secure SD-WAN-node1.example.com

      Note: The value of the Subject Alternative Name (DNS) must be unique within the SMC and the external CA.
    5. Complete the other certificate request details according to your environment.
    6. Click OK.
  2. Save the initial configuration for the Secure SD-WAN Engine.
    Follow the instructions in Prepare for Secure SD-WAN Configuration Wizard configuration.
  3. On the command line of the Secure SD-WAN Engine, make initial contact between the Secure SD-WAN Engine and the Management Server.
    Follow the instructions in Contact the Management Server on the command line.
    A certificate request is created for the Secure SD-WAN Engine and transferred to the Management Server.
  4. In the Management Client, export the certificate request for the Secure SD-WAN Engine.
    1. Select Home.
    2. Right-click an Secure SD-WAN Engine node, then select Certificate > Export Certificate Request.
    3. Browse to the location to save the certificate request and name it as you want, then click Export.
    4. Click OK to close the Certificate dialog box.
  5. Sign the certificate request using the external CA, then copy the signed certificate to a location that is accessible from your local workstation.
  6. In the Management Client, import the signed certificate for the Secure SD-WAN Engine.
    1. Select Home.
    2. Right-click an Secure SD-WAN Engine node, then select Certificate > Import Certificate.
    3. Browse to the signed certificate file, then click Import.
    4. Click OK to close the Import Certificate dialog box.

Result

The Secure SD-WAN Engine node receives the signed certificate from the Management Server.

Example

Table 1. Certificate Settings dialog box
Option Definition
Name The name of the element.
Organization (O)

(Optional)

 The name of your organization as it appears in the certificate.
Organization Unit (OU)

(Optional)

 The name of your department or division as it appears in the certificate.
State/Province (ST)

(Optional)

 The name of state or province as it appears in the certificate.
Locality (L)

(Optional)

 The name of the city as it appears in the certificate.
Common Name (CN) A common name that includes the name of the Secure SD-WAN Engine element.
Public Key Algorithm

(Not editable)

 The algorithm used for the public key.
Note: For Secure SD-WAN Engine certificates, only the ECDSA public key algorithm is supported.
Key Length The length of the key in bits.

Enter 521 or 384.
Signature Algorithm

(Not editable)

 Shows the signature algorithm according to the key length.
Subject Alternative Name (DNS) The name of the Secure SD-WAN Engine node as a fully qualified domain name (FQDN).