top of page

Setting up a Ubuntu CA for Cisco SD-WAN

Updated: 17 hours ago

For our SD-WAN controllers to be able to securely communicate with each other, the controllers will need a root certificate. Once they all have a root certificate installed, they can setup a secure control plane connection in order to mutually authenticate one another.

In my lab I have deployed a Ubuntu server with 2 ethernet interfaces. The first step to setting up the is to configure this device with static IP addresses.

Start by verifying IP info and interface names: ip a

  1. I had to use the " altname" from the output to get the static configuration to work

    1. ens3 (altname: enp0s3) corresponded with e0 in my diagram

    2. ens4 (altname: enp0s4) corresponded with e1 in my diagram

Next I'll make a backup of the current netplan config, in case I mess up the rest of the config and I need to rollback.

sudo cp /etc/netplan/00-installer-config.yaml /etc/netplan/00-installer.config.yaml.BACKUP

Here's the new config that will be used in my lab environment. ENP0S4 connects to the management network and ENP0S3 connects to the underlay network. Note that I'm using the "routes" statement as opposed to the deprecated "gateway" configuration for the default route.

      dhcp4: false
          addresses: []
      dhcp4: false
      dhcp6: false
      - to: default
       addresses: []
  version: 2
sudo netplan apply

Once this has been setup properly and we can reach our other components, we can start on the certificate part.

First we generate our private key.

openssl genrsa -out CA.key 2048

Next we use this private key to generate our selfsigned root certificate.

openssl req -new -x509 -days 365 -key CA.key -out CA.crt

After hitting enter, you'll need to provide additional info about your organization (Country, state/province, city, organization,..). Now you'll have your new selfsigned root certificate available which can be copied onto our controllers

We can easily copy the certificate to each of the controllers using scp:

user@ubuntu:~$ scp CA.crt admin@
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:SrMAeXpNX826K8Y64g5bzXqf2ubcz3GUEJGaFam+L30.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
viptela 20.9.4

(admin@ Password:
CA.crt                                                                        100% 1249     1.5MB/s   00:00

Repeat this process for the other 2 controllers as well:

scp CA.crt admin@
scp CA.crt admin@

We can verify if the certificate is on the device by logging into the device and accessing the Linux shell through the vshell command

vSmart# vshell
vSmart:~$ pwd
vSmart:~$ ls

Finally install the root certificate on each of the devices (vBond, vSmart, vManage)

request root-cert-chain install /home/admin/CA.crt
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/CA.crt via VPN 0
Updating the root certificate chain..
Successfully installed the root certificate chain

To complete the certificate deployment we need to tell SD-WAN as a whole to use this certificate as authentication. You can do this by browsing to the following vManage URL:


This should prompt you with the message, stating the rootcertchain sync has been done. If you don't get this output and you just get logged into the vManage portal, just retry browsing to that URL and you should get the message.

syncRootCertChain: done

This completes the basic certificate setup of our SD-WAN deployment. In the next post we'll continue setting up the controllers.

5 views0 comments

Recent Posts

See All


bottom of page