Skip to content

5.6 Certificate Management

Document Information

  • Version: 1.0
  • Last Updated: December 2025
  • Author: Abhavtech Network Engineering
  • Classification: Internal Use

5.6.1 Certificate Architecture

PKI Hierarchy

+------------------------------------------------------------------+
|             ABHAVTECH SD-WAN PKI ARCHITECTURE                     |
+------------------------------------------------------------------+
|                                                                   |
|                    ┌─────────────────────┐                       |
|                    │  Abhavtech Root CA  │                       |
|                    │  (Offline, HSM)     │                       |
|                    │  Validity: 20 years │                       |
|                    └──────────┬──────────┘                       |
|                               │                                   |
|              ┌────────────────┼────────────────┐                 |
|              │                │                │                  |
|              ▼                ▼                ▼                  |
|    ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐   |
|    │ Issuing CA      │ │ SD-WAN CA       │ │ Web CA          │   |
|    │ (General)       │ │ (Controllers)   │ │ (HTTPS)         │   |
|    │ 10 years        │ │ 10 years        │ │ 5 years         │   |
|    └────────┬────────┘ └────────┬────────┘ └────────┬────────┘   |
|             │                   │                   │             |
|             ▼                   ▼                   ▼             |
|    ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐   |
|    │ User/Device     │ │ vManage         │ │ vManage Web     │   |
|    │ Certificates    │ │ vSmart          │ │ Certificate     │   |
|    │ 1-2 years       │ │ vBond           │ │ 1 year          │   |
|    │                 │ │ WAN Edge        │ │                 │   |
|    │                 │ │ 2 years         │ │                 │   |
|    └─────────────────┘ └─────────────────┘ └─────────────────┘   |
|                                                                   |
+------------------------------------------------------------------+

Certificate Types

Certificate Type Purpose Validity Signed By
Root CA Trust anchor 20 years Self-signed
SD-WAN Issuing CA Sign controller/edge certs 10 years Root CA
vManage Certificate Controller authentication 2 years Issuing CA
vSmart Certificate Controller authentication 2 years Issuing CA
vBond Certificate Orchestrator authentication 2 years Issuing CA
WAN Edge Certificate Device authentication 2 years Issuing CA
Web Certificate HTTPS UI access 1 year Public CA

5.6.2 Enterprise CA Setup

CA Configuration for SD-WAN

# OpenSSL CA configuration for SD-WAN certificates
# File: /etc/pki/sdwan-ca/openssl.cnf

[ ca ]
default_ca = sdwan_ca

[ sdwan_ca ]
dir               = /etc/pki/sdwan-ca
certs             = $dir/certs
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
private_key       = $dir/private/sdwan-ca.key
certificate       = $dir/certs/sdwan-ca.crt
default_days      = 730
default_md        = sha256
policy            = policy_match

[ policy_match ]
countryName             = match
organizationName        = match
commonName              = supplied

[ req ]
default_bits       = 2048
default_md         = sha256
distinguished_name = req_distinguished_name
x509_extensions    = v3_ca

[ v3_controller ]
basicConstraints       = CA:FALSE
keyUsage               = digitalSignature, keyEncipherment
extendedKeyUsage       = serverAuth, clientAuth
subjectAltName         = @alt_names

[ v3_wan_edge ]
basicConstraints       = CA:FALSE
keyUsage               = digitalSignature, keyEncipherment
extendedKeyUsage       = clientAuth
subjectAltName         = @alt_names

Certificate Template (Microsoft CA)

# SD-WAN Controller Certificate Template
# Windows Server CA Manager

Template Name: SD-WAN-Controller
Validity Period: 2 years
Renewal Period: 6 weeks

Key Usage:
  - Digital Signature
  - Key Encipherment

Extended Key Usage:
  - Server Authentication (1.3.6.1.5.5.7.3.1)
  - Client Authentication (1.3.6.1.5.5.7.3.2)

Subject Name:
  - Supply in request (from CSR)

Extensions:
  - Subject Alternative Name: Include in request

Issuance Requirements:
  - CA certificate manager approval: Yes

5.6.3 Certificate Signing Process

CSR Generation and Signing Workflow

+------------------------------------------------------------------+
|            CERTIFICATE SIGNING WORKFLOW                           |
+------------------------------------------------------------------+
|                                                                   |
|  STEP 1: Generate CSR on Device                                  |
|  ┌────────────────────────────────────────────────────────────┐  |
|  │  vManage/vSmart/vBond/WAN-Edge:                            │  |
|  │  # request certificate generate csr                        │  |
|  │                                                             │  |
|  │  Output: PEM-encoded CSR                                   │  |
|  └────────────────────────────────────────────────────────────┘  |
|                         │                                         |
|                         ▼                                         |
|  STEP 2: Submit CSR to Enterprise CA                             |
|  ┌────────────────────────────────────────────────────────────┐  |
|  │  Method A: Web Enrollment                                  │  |
|  │    https://ca.abhavtech.com/certsrv                        │  |
|  │                                                             │  |
|  │  Method B: certreq (Windows)                               │  |
|  │    certreq -submit -config "CA\Abhavtech-CA" request.csr   │  |
|  │                                                             │  |
|  │  Method C: openssl (Linux)                                 │  |
|  │    openssl ca -config openssl.cnf -in request.csr          │  |
|  └────────────────────────────────────────────────────────────┘  |
|                         │                                         |
|                         ▼                                         |
|  STEP 3: CA Manager Approval                                     |
|  ┌────────────────────────────────────────────────────────────┐  |
|  │  - Review CSR subject and SANs                             │  |
|  │  - Verify device identity                                  │  |
|  │  - Approve certificate issuance                            │  |
|  └────────────────────────────────────────────────────────────┘  |
|                         │                                         |
|                         ▼                                         |
|  STEP 4: Install Certificate on Device                           |
|  ┌────────────────────────────────────────────────────────────┐  |
|  │  # request root-cert-chain install ca-chain.pem            │  |
|  │  # request certificate install signed-cert.pem             │  |
|  └────────────────────────────────────────────────────────────┘  |
|                                                                   |
+------------------------------------------------------------------+

Automated Certificate Signing Script

#!/usr/bin/env python3
"""
SD-WAN Certificate Automation
Signs CSRs using Enterprise CA API
"""

import requests
import base64
import json
from datetime import datetime

class CertificateManager:
    def __init__(self, ca_url, username, password):
        self.ca_url = ca_url
        self.auth = (username, password)
        self.session = requests.Session()
        self.session.auth = self.auth
        self.session.verify = True

    def sign_csr(self, csr_pem, template="SD-WAN-Controller", san_dns=None, san_ip=None):
        """Submit CSR to CA and get signed certificate"""

        # Prepare CSR for submission
        csr_b64 = base64.b64encode(csr_pem.encode()).decode()

        # Build SAN extension
        san_entries = []
        if san_dns:
            san_entries.extend([f"dns={dns}" for dns in san_dns])
        if san_ip:
            san_entries.extend([f"ipaddress={ip}" for ip in san_ip])

        payload = {
            "csr": csr_b64,
            "template": template,
            "san": san_entries,
            "validity_days": 730
        }

        response = self.session.post(
            f"{self.ca_url}/api/v1/certificate/sign",
            json=payload
        )

        if response.status_code == 200:
            cert_data = response.json()
            return base64.b64decode(cert_data["certificate"]).decode()
        else:
            raise Exception(f"Certificate signing failed: {response.text}")

    def get_ca_chain(self):
        """Retrieve CA certificate chain"""
        response = self.session.get(f"{self.ca_url}/api/v1/ca/chain")
        return response.json()["chain"]

# Usage example
if __name__ == "__main__":
    ca = CertificateManager(
        "https://ca.abhavtech.com",
        "cert-admin",
        "password"
    )

    # Read CSR from file
    with open("vmanage-1.csr", "r") as f:
        csr = f.read()

    # Sign CSR
    signed_cert = ca.sign_csr(
        csr,
        template="SD-WAN-Controller",
        san_dns=["vmanage-1.abhavtech.com", "sdwan-manager.abhavtech.com"],
        san_ip=["10.255.0.11"]
    )

    # Save signed certificate
    with open("vmanage-1-signed.pem", "w") as f:
        f.write(signed_cert)

    print("Certificate signed successfully")

5.6.4 Certificate Installation

Controller Certificate Installation

! Install on vManage
vManage# request root-cert-chain install /home/admin/abhavtech-ca-chain.pem
Uploading root-ca-chain via VPN 0
Successfully installed root certificates

vManage# request certificate install /home/admin/vmanage-1-signed.pem
Successfully installed the certificate

! Verify installation
vManage# show certificate installed
Certificate:
  Subject: CN=vmanage-1.abhavtech.com,O=Abhavtech,C=IN
  Issuer: CN=Abhavtech-SD-WAN-CA,O=Abhavtech,C=IN
  Serial Number: 0x1234ABCD
  Not Before: Dec 15 00:00:00 2025 GMT
  Not After: Dec 15 23:59:59 2027 GMT
  Key Type: RSA 2048
  Signature: sha256WithRSAEncryption
  Status: Valid

! Check certificate chain
vManage# show certificate root-ca-cert
Root CA Certificate:
  Subject: CN=Abhavtech-Root-CA,O=Abhavtech,C=IN
  Issuer: CN=Abhavtech-Root-CA,O=Abhavtech,C=IN
  Valid Until: Dec 31 2045

WAN Edge Certificate Installation

! For WAN Edge using Enterprise CA
! Option 1: Manual installation
wan-edge# request platform software sdwan root-cert-chain install bootflash:ca-chain.pem
wan-edge# request platform software sdwan certificate install bootflash:wan-edge-signed.pem

! Option 2: Automatic via vManage (ZTP)
! Configure Enterprise CA in vManage
vManage GUI: Administration > Settings > Enterprise Root Certificate
  - Upload CA chain
  - Enable automatic certificate distribution

! WAN Edge will receive certificate during onboarding

5.6.5 Certificate Monitoring

Certificate Expiration Monitoring

#!/usr/bin/env python3
"""
SD-WAN Certificate Expiration Monitor
Alerts when certificates are expiring
"""

import requests
import json
from datetime import datetime, timedelta

VMANAGE = "sdwan-manager.abhavtech.com"
ALERT_THRESHOLD_DAYS = 90

def get_certificate_status():
    session = requests.Session()
    session.verify = False

    # Authenticate
    session.post(
        f"https://{VMANAGE}/j_security_check",
        data={"j_username": "admin", "j_password": "password"}
    )

    token = session.get(f"https://{VMANAGE}/dataservice/client/token").text
    session.headers["X-XSRF-TOKEN"] = token

    # Get all device certificates
    response = session.get(
        f"https://{VMANAGE}/dataservice/certificate/record"
    )

    return response.json().get("data", [])

def check_expiration(certificates):
    alerts = []
    now = datetime.now()
    threshold = now + timedelta(days=ALERT_THRESHOLD_DAYS)

    for cert in certificates:
        expiry_str = cert.get("expirationDate", "")
        if expiry_str:
            expiry = datetime.strptime(expiry_str, "%Y-%m-%d")

            if expiry < threshold:
                days_remaining = (expiry - now).days
                alerts.append({
                    "device": cert.get("host-name"),
                    "system_ip": cert.get("system-ip"),
                    "expiry_date": expiry_str,
                    "days_remaining": days_remaining,
                    "status": "CRITICAL" if days_remaining < 30 else "WARNING"
                })

    return alerts

def main():
    print("=== SD-WAN Certificate Expiration Report ===")
    print(f"Generated: {datetime.now().isoformat()}")
    print()

    certificates = get_certificate_status()
    alerts = check_expiration(certificates)

    if alerts:
        print("CERTIFICATES REQUIRING ATTENTION:")
        for alert in sorted(alerts, key=lambda x: x["days_remaining"]):
            print(f"  [{alert['status']}] {alert['device']} ({alert['system_ip']})")
            print(f"          Expires: {alert['expiry_date']} ({alert['days_remaining']} days)")
    else:
        print("All certificates valid for next 90 days")

if __name__ == "__main__":
    main()

vManage Certificate Dashboard

vManage GUI: Monitor > Certificates

Dashboard shows:
  - All device certificates
  - Expiration dates
  - Certificate status (Valid/Expiring/Expired)
  - CSR pending approval

Alerts configured:
  - 90 days before expiry: Email warning
  - 30 days before expiry: Critical alert
  - 7 days before expiry: Escalation to management

5.6.6 Certificate Renewal

Renewal Procedure

+------------------------------------------------------------------+
|            CERTIFICATE RENEWAL WORKFLOW                           |
+------------------------------------------------------------------+
|                                                                   |
|  STEP 1: Generate New CSR (60 days before expiry)                |
|  ┌────────────────────────────────────────────────────────────┐  |
|  │  device# request certificate generate csr                  │  |
|  │  ! Old certificate remains valid during renewal            │  |
|  └────────────────────────────────────────────────────────────┘  |
|                                                                   |
|  STEP 2: Submit to CA and Get Signed                             |
|  ┌────────────────────────────────────────────────────────────┐  |
|  │  ! Same process as initial signing                         │  |
|  │  ! New certificate has new validity period                 │  |
|  └────────────────────────────────────────────────────────────┘  |
|                                                                   |
|  STEP 3: Install New Certificate                                 |
|  ┌────────────────────────────────────────────────────────────┐  |
|  │  device# request certificate install new-cert.pem          │  |
|  │  ! Traffic continues on old cert until install complete    │  |
|  │  ! Automatic switch to new cert after installation         │  |
|  └────────────────────────────────────────────────────────────┘  |
|                                                                   |
|  STEP 4: Verify and Clean Up                                     |
|  ┌────────────────────────────────────────────────────────────┐  |
|  │  device# show certificate installed                        │  |
|  │  ! Verify new expiration date                              │  |
|  │  ! Old certificate automatically removed                   │  |
|  └────────────────────────────────────────────────────────────┘  |
|                                                                   |
+------------------------------------------------------------------+

Automated Renewal Script

#!/bin/bash
# certificate_renewal.sh - Automated certificate renewal

DEVICE_IP=$X
DEVICE_NAME=$X

echo "=== Certificate Renewal for $DEVICE_NAME ==="

# Step 1: Generate CSR
echo "Generating CSR..."
ssh admin@$DEVICE_IP "request certificate generate csr" > /tmp/${DEVICE_NAME}.csr

# Step 2: Submit to CA (using API)
echo "Submitting to CA..."
python3 /opt/sdwan/sign_csr.py /tmp/${DEVICE_NAME}.csr /tmp/${DEVICE_NAME}-signed.pem

# Step 3: Install certificate
echo "Installing certificate..."
scp /tmp/${DEVICE_NAME}-signed.pem admin@$DEVICE_IP:/home/admin/
ssh admin@$DEVICE_IP "request certificate install /home/admin/${DEVICE_NAME}-signed.pem"

# Step 4: Verify
echo "Verifying installation..."
ssh admin@$DEVICE_IP "show certificate installed"

echo "=== Renewal Complete ==="

5.6.7 Certificate Revocation

CRL Configuration

! Configure CRL checking on controllers
vManage GUI: Administration > Settings > Certificate Revocation

CRL Settings:
  - Enable CRL checking: Yes
  - CRL Distribution Point: http://ca.abhavtech.com/crl/sdwan-ca.crl
  - CRL refresh interval: 24 hours
  - Cache CRL: Yes

! Manual CRL update
vManage# request certificate crl update

! Check CRL status
vManage# show certificate crl
CRL Status:
  Last Update: 2025-12-15 00:00:00 UTC
  Next Update: 2025-12-16 00:00:00 UTC
  Entries: 3

Revoking a Certificate

! On Enterprise CA - revoke compromised certificate
# Using OpenSSL
openssl ca -config openssl.cnf -revoke compromised-cert.pem -crl_reason keyCompromise

# Generate new CRL
openssl ca -config openssl.cnf -gencrl -out sdwan-ca.crl

# Publish CRL to distribution point
scp sdwan-ca.crl webserver:/var/www/crl/

! On SD-WAN - force CRL refresh
vManage# request certificate crl update

5.6.8 Troubleshooting

Common Certificate Issues

Issue Symptoms Resolution
Chain incomplete Auth failure Install full CA chain
Expired certificate Control connection down Renew certificate
Wrong key usage TLS handshake fail Reissue with correct EKU
Time skew Cert appears invalid Sync NTP on device
CRL unavailable Warning in logs Check CRL distribution point

Diagnostic Commands

! Check certificate status
device# show certificate installed
device# show certificate root-ca-cert
device# show certificate signing-request

! Verify certificate chain
device# show certificate validity

! Debug certificate issues
device# debug sdwan certificate
device# show sdwan certificate status

! Check control plane authentication
device# show sdwan control connections
device# show sdwan control local-properties | include certificate

Document Control

Version Date Author Changes
1.0 December 2025 Abhavtech Network Engineering Initial release

Abhavtech Confidential - SD-WAN Certificate Management Guide