Orchestrator certificates

To prevent MITM (man-in-the-middle) attacks, when communicating with the orchestrator, the CPE device checks whether the orchestrator certificate can be trusted. By default, root certificates of public certificate authorities are installed on devices.

If your orchestrator is using a certificate signed by a public certificate authority, you do not need to install an additional certificate on the devices. Otherwise, you must add the public root certificate used by the orchestrator on the devices by uploading the certificate to the orchestrator web interface.

Regarding certificate management, consider the following:

• Each time a new certificate is uploaded in the orchestrator web interface, the certificate is automatically distributed to CPE devices.
• When you first activate a CPE device using a web address, the certificate uploaded to the orchestrator is automatically installed on the device.
• 30 days before the certificate expiration date, the orchestrator begins displaying a notification each time a user authenticates in the orchestrator web interface.

Uploading an orchestrator certificate

To upload an orchestrator certificate:

1. In the menu, go to the SD-WAN section.

   By default, the CPE subsection is displayed with a table of CPE devices.

2. In the upper part of the page, click + Certificate.
3. Specify the path to the certificate file in PEM format. Maximum file size: 128 KB.

Information about the uploaded certificate is displayed in the Certificate subsection. The certificate is automatically distributed to CPE devices. You can distribute the certificate manually.

Viewing an orchestrator certificate

To view the orchestrator certificate:

In the menu, go to the SD-WAN → Certificate subsection.

The information page for the uploaded orchestrator certificate is displayed.

Manually distributing an orchestrator certificate to CPE devices

You can manually distribute an orchestrator certificate to CPE devices without waiting for automatic distribution.

To manually distribute an orchestrator certificate to CPE devices:

1. In the menu, go to the SD-WAN → Certificate subsection.

   The information page for the uploaded orchestrator certificate is displayed.

2. In the upper part of the page, click Apply to CPEs.

Exporting an orchestrator certificate

To export an orchestrator certificate:

1. In the menu, go to the SD-WAN → Certificate subsection.

   The information page for the uploaded orchestrator certificate is displayed.

2. In the upper part of the page, click Export.

A PEM file named 'cacert' is saved on your local device.