Manually enable 256-bit security strength for Engines

When you start using a new internal ECDSA certificate authority, 256-bit encryption is automatically enabled for Engines. If an Engine cannot communicate with the Management Server, manually enable 256-bit encryption on the Engine, then make initial contact between the Engine and the Management Server.

1. On the command line of the Engine, enter one of the following commands to start the Engine Configuration Wizard:

   • sg-reconfigure --no-shutdown

     The Engine Configuration Wizard starts without shutting down the Engine. Network interface settings cannot be changed in this mode.

   • sg-reconfigure

     The Engine shuts down, then the Engine Configuration Wizard starts. All options are available if you have a local connection. If you have a remote SSH connection, you cannot change network interface settings because the Engine always uses the no-shutdown mode for SSH connections.

2. Select Next on each page until the Prepare for Management Contact page opens.
3. Select Contact or Contact at Reboot, then press the spacebar.
4. Enter the Management Server IP address and the one-time password.
   Note: The one-time password is specific to each Engine and can be used only for one initial connection to the Management Server. After initial contact has been made, the Engine receives a certificate from the Secure SD-WAN Manager for identification. If the certificate is deleted or expires, repeat the initial contact using a new one-time password.
5. Select 256-bit Security Strength, then press the spacebar to use 256-bit encryption for the connection to the Management Server.
6. (Optional) Enter the fingerprint for the Management Server.
   1. Select Edit Fingerprint, then press Enter.
   2. Enter the Management Server’s certificate fingerprint.
      The fingerprint is shown in the Management Client when you save the initial configuration.
7. Select Finish, then press Enter.