About the VPN Authentication Page
Contrail Service Orchestration (CSO) establishes secure IPsec Virtual Private Network (VPN) tunnels to connect sites after authenticating the tunnel endpoints. CSO authenticates tunnel endpoints by using either preshared keys or Public Key Infrastructure (PKI) certificates.
Service Provider (SP) and Operating Company (OpCo) Administrators can configure the authentication type when the tenant is onboarded.
If PKI certificate is configured as the authentication type, then tenant administrators can modify the PKI settings from the VPN Authentication page (Administration > Certificate Management > VPN Authentication) after the tenant is onboarded.
The VPN Authentication page is displayed only for tenants with SD-WAN service that are configured with PKI as the authentication type.
Tasks You Can Perform
View information about the existing certificates for all provisioned sites in the tenant. See Table 1.
Change the Certificate Authority (CA) server settings (URL, password, and CRL Server URL) for the tenant. See Modify PKI Settings for All Sites.
Change the Certificate Revocation List (CRL) URL of certificates for the tenant. See Modify PKI Settings for All Sites.
Change the method of renewing PKI certificates for all provisioned sites in the tenant. See Modify PKI Settings for All Sites.
Change the method of renewing PKI certificates for one or more provisioned sites in the tenant. See Modify PKI Settings for Selected Sites.
Manually renew certificates for one or more provisioned sites in the tenant. SeeModify PKI Settings for Selected Sites.
Search for certificates by using keywords. Click the Search icon to enter the search term in the text box and press Enter. The search results are displayed on the same page.
Show or hide columns. Click the Show Hide Columns icon at the top right corner of the grid and select the columns that you want displayed on the VPN Authentication page.
Table 1 describes the fields on the VPN Authentication page.
Table 1: Fields on the VPN Authentication page
Tenant-Level Settings for PKI Certificates
Current Tenant Setting
Renewal method currently configured for PKI certificates of the tenant.
Next Renew Check Time
Next CRL check time
Date and time at which the next CRL check is scheduled.
Last CRL update time
Date and time at which the CRL was last updated.
Details of Certificates
Name of the tenant.
Name of the PKI certificate.
ID of the PKI certificate.
Serial number of the PKI certificate.
Name of the site with which the PKI certificate is associated.
Name of the device with which the PKI certificate is associated.
Expiration status of the PKI certificate:
Date and time at which the PKI certificate expires.
Renewal method of the PKI certificate: