Managing certificates

When communicating with the orchestrator, the CPE device checks whether the orchestrator's certificates can be trusted to prevent MITM attacks. By default, the CPE device trusts public certification authorities.

If the orchestrator uses certificates signed by a custom certification authority, you must upload these certificates in the orchestrator web interface and install them on CPE devices. Standalone root certificates as well as certificate chains consisting of a root certificate and multiple intermediate certificates are supported.

30 days before the certificate expires, a notification is displayed when you log into the orchestrator web interface.

The table of certificates is displayed under SD-WAN → Certificates. Information about certificates is displayed in the following columns of the table:

• Common name is the domain name or host name for which the certificate is issued.
• Organization is the name of the organization that issued the certificate.
• Distribute to CPEs is the check box for installing the certificate on CPE devices. Certificates that have their check boxes selected are installed on CPE devices in the following cases:
  • Automatic registration (ZTP) of a CPE device
  • CPE device restart
  • Manual installation of certificates on the CPE device

  Selecting certificates incorrectly may cause the CPE device to stop trusting the certificate of the orchestrator and to disconnect from it.

• From is the start date of certificate validity.
• To is the certificate expiration date.

The actions you can perform with the table are described in the Managing solution component tables instructions.

In this section Uploading a certificate using the orchestrator web interface Manually installing certificates on CPE devices Scenario: installing certificates on a CPE device with firmware version 23.07 Exporting a certificate Deleting certificates

Page top