Renew Secure SD-WAN Engine certificates

Secure SD-WAN Engine certificates are renewed automatically. You might have to renew Secure SD-WAN Engine certificates manually in some cases.

The following situations might require you to manually renew Secure SD-WAN Engine certificates:

  • A message indicates that the certificate for an Secure SD-WAN Engine has expired.
  • A message indicates that the certificate authority that signed the component’s certificate is about to expire or has expired. A new certificate authority has been created, and the engine requires a new certificate.
  • Components refuse connection attempts with each other.
  • You have created an ECDSA CA and the engine has lost connectivity to the Management Server. You might also have to manually enable 256-bit security strength for the engine.

If the certificate for system communications expires, the Secure SD-WAN Engines continue processing traffic normally but all communications with other components stop. For clusters, traffic might be disrupted if expired certificates prevent nodes from synchronizing information. The same disruption can also happen if the internal certificate authority that signs the certificates for system communications is in the process of being renewed, and Secure SD-WAN Engines do not have new certificates signed by the new internal certificate authority that the system has automatically created.

Secure SD-WAN Engine certificates might expire if you have disabled automatic certificate renewal.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. In the Management Client, save the initial configuration and generate a new one-time password for the Secure SD-WAN Engine.
  2. To renew contact between the engine and the Management Server using the new one-time password, run the following command on the command line of the Secure SD-WAN Engine:
    sg-reconfigure
  3. Follow the prompts in the Secure SD-WAN Configuration Wizard until the Prepare for Management Contact page opens.
  4. Select Contact, then press the spacebar.
  5. Enter the Management Server IP address and the one-time password.
  6. Highlight Finish, then press Enter.