Manually enable 256-bit security strength for Secure SD-WAN Engines

When you start using a new internal ECDSA certificate authority, 256-bit encryption is automatically enabled for Secure SD-WAN Engines. If an Secure SD-WAN Engine cannot communicate with the Management Server, manually enable 256-bit encryption on the Secure SD-WAN Engine, then make initial contact between the Secure SD-WAN Engine and the Management Server.

Before you begin

Create a new internal ECDSA certificate authority.

Steps

  1. On the command line of the Secure SD-WAN Engine, enter one of the following commands to start the Secure SD-WAN Configuration Wizard: 
    • sg-reconfigure --no-shutdown

      The Secure SD-WAN Configuration Wizard starts without shutting down the Secure SD-WAN Engine. Network interface settings cannot be changed in this mode.

    • sg-reconfigure

      The Secure SD-WAN Engine shuts down, then the Secure SD-WAN Configuration Wizard starts. All options are available if you have a local connection. If you have a remote SSH connection, you cannot change network interface settings because the Secure SD-WAN Engine always uses the no-shutdown mode for SSH connections.

  2. Select Next on each page until the Prepare for Management Contact page opens.
  3. Select Contact or Contact at Reboot, then press the spacebar.
  4. Enter the Management Server IP address and the one-time password.
    Note: The one-time password is specific to each Secure SD-WAN Engine and can be used only for one initial connection to the Management Server. After initial contact has been made, the Secure SD-WAN Engine receives a certificate from the SMC for identification. If the certificate is deleted or expires, repeat the initial contact using a new one-time password.
  5. Select 256-bit Security Strength, then press the spacebar to use 256-bit encryption for the connection to the Management Server.
  6. (Optional) Enter the fingerprint for the Management Server.
    1. Select Edit Fingerprint, then press Enter.
    2. Enter the Management Server’s certificate fingerprint.
      The fingerprint is shown in the Management Client when you save the initial configuration.
  7. Select Finish, then press Enter.

Result

The Secure SD-WAN Engine tries to make initial Management Server contact. The progress is shown on the command line.