Kaspersky SD-WAN
2.2
English

Contents

Managing certificates

When communicating with the orchestrator, the CPE device checks whether the orchestrator's certificates can be trusted to prevent MITM attacks. By default, the CPE device trusts public certification authorities.

If the orchestrator uses certificates signed by a custom certification authority, you must upload these certificates in the orchestrator web interface and install them on CPE devices. Standalone root certificates as well as certificate chains consisting of a root certificate and multiple intermediate certificates are supported.

30 days before the certificate expires, a notification is displayed when you log into the orchestrator web interface.

The table of certificates is displayed under SD-WAN → Certificates. Information about certificates is displayed in the following columns of the table:

  • Common name is the domain name or host name for which the certificate is issued.
  • Organization is the name of the organization that issued the certificate.
  • Distribute to CPEs is the check box for installing the certificate on CPE devices. Certificates that have their check boxes selected are installed on CPE devices in the following cases:

    Selecting certificates incorrectly may cause the CPE device to stop trusting the certificate of the orchestrator and to disconnect from it.

  • From is the start date of certificate validity.
  • To is the certificate expiration date.

The actions you can perform with the table are described in the Managing solution component tables instructions.

In this section

Uploading a certificate using the orchestrator web interface

Manually installing certificates on CPE devices

Scenario: installing certificates on a CPE device with firmware version 23.07

Exporting a certificate

Deleting certificates
Page top
[Topic 256320]

Uploading a certificate using the orchestrator web interface

To upload a certificate in the orchestrator web interface:

  1. In the menu, go to the SD-WAN → Certificates section.

    A table of certificates is displayed.

  2. In the upper part of the page, click + Certificate.
  3. Specify the path to the certificate file in PEM format. Maximum file size: 16 KB.

The certificate is uploaded and displayed in the table. The Certificate <certificate name> uploaded message appears.

Page top
[Topic 270629]

Manually installing certificates on CPE devices

To install certificates on CPE devices:

  1. In the menu, go to the SD-WAN → Certificates section.

    A table of certificates is displayed.

  2. Select the Distribute to CPEs check boxes next to the uploaded certificates that you want to install on CPE devices.
  3. Click Apply to CPEs.

The certificates are installed on the CPE devices. The Certificates are applied to CPEs message is displayed.

Page top
[Topic 270632]

Scenario: installing certificates on a CPE device with firmware version 23.07

You can install a root certificate or a certificate chain signed by a custom certification authority on a CPE device with firmware version 23.07. Firmware version 23.07 is not fully supported by the current version of the orchestrator, therefore technical issues may occur when using this firmware version. We recommend updating the firmware of all CPE devices to the latest version.

The scenario for installing certificates on CPE devices with firmware version 23.07 involves the following steps:

  1. Uploading certificates using the orchestrator web interface

    Upload a certificate using the orchestrator web interface.

  2. Generating an URL with basic CPE device settings

    Generate a URL with basic CPE device settings while doing the following:

    1. In the Version drop-down list, select 23.07.
    2. Click Copy next to all generated URLs.
    3. Save the copied web addresses.
  3. Installing certificates on a CPE device

    Visit each of the copied web address in sequence on the CPE device where you want to install certificates.

The CPE device restarts after installing each certificate.

See also

Scheduling firmware updates on selected CPE devices

Scheduling firmware updates on CPE devices with specific tags
Page top
[Topic 272302]

Exporting a certificate

To export a certificate:

  1. In the menu, go to the SD-WAN → Certificates section.

    A table of certificates is displayed.

  2. Click the certificate that you want to export.

    The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon .

  3. In the upper part of the settings area, under Actions, click Export.

An certificate file in the PEM format is saved on your local device.

Page top
[Topic 270637]

Deleting certificates

Deleted certificates cannot be restored.

To delete certificates:

  1. In the menu, go to the SD-WAN → Certificates section.

    A table of certificates is displayed.

  2. To delete an individual certificate:
    1. Click the certificate that you want to delete

      The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand icon .

    2. In the upper part of the settings area, under Actions, click Delete.
  3. To delete multiple certificates:
    1. Select check boxes next to certificates that you want to delete.
    2. In the upper part of the table, click Actions → Delete.
  4. In the confirmation window, click Delete.

The certificates are deleted and are no longer displayed in the table.

Page top
[Topic 270638]