About the VPN Authentication Page

Contrail Service Orchestration (CSO) establishes secure IPsec Virtual Private Network (VPN) tunnels to connect sites after authenticating the tunnel endpoints. CSO authenticates tunnel endpoints by using either preshared keys or Public Key Infrastructure (PKI) certificates.

Service Provider (SP) and Operating Company (OpCo) Administrators can configure the authentication type when the tenant is onboarded.

If PKI certificate is configured as the authentication type, then tenant administrators can modify the PKI settings from the VPN Authentication page (Administration > Certificate Management > VPN Authentication) after the tenant is onboarded.

Note:

The VPN Authentication page is displayed only for tenants with SD-WAN service that are configured with PKI as the authentication type.

Tasks You Can Perform

View information about the existing certificates for all provisioned sites in the tenant. See Table 1.
Change the Certificate Authority (CA) server settings (URL, password, and CRL Server URL) for the tenant. See Modify PKI Settings for All Sites.
Change the Certificate Revocation List (CRL) URL of certificates for the tenant. See Modify PKI Settings for All Sites.
Change the method of renewing PKI certificates for all provisioned sites in the tenant. See Modify PKI Settings for All Sites.
Change the method of renewing PKI certificates for one or more provisioned sites in the tenant. See Modify PKI Settings for Selected Sites.
Manually renew certificates for one or more provisioned sites in the tenant. SeeModify PKI Settings for Selected Sites.
Search for certificates by using keywords. Click the Search icon to enter the search term in the text box and press Enter. The search results are displayed on the same page.
Show or hide columns. Click the Show Hide Columns icon at the top right corner of the grid and select the columns that you want displayed on the VPN Authentication page.

Field Descriptions

Table 1 describes the fields on the VPN Authentication page.

Table 1: Fields on the VPN Authentication page
Field	Description
Tenant-Level Settings for PKI Certificates
`Certificate Renewal`
Current Tenant Setting	Renewal method currently configured for PKI certificates of the tenant.
Next Renew Check Time	If the Auto Renew Certificate toggle button on the Edit Tenant Certificate page is enabled, displays the date and time at which the next renewal check is scheduled. If the Auto Renew Certificate toggle button on the Edit Tenant Certificate page is disabled, displays N/A (not applicable).
Next CRL check time	Date and time at which the next CRL check is scheduled.
Last CRL update time	Date and time at which the CRL was last updated.
Details of Certificates
Tenant Name	Name of the tenant.
Common Name	Name of the PKI certificate.
Certificate ID	ID of the PKI certificate.
Serial Number	Serial number of the PKI certificate.
Used In	Name of the site with which the PKI certificate is associated.
Device	Name of the device with which the PKI certificate is associated.
Status	Expiration status of the PKI certificate: If you set the certificate to be renewed automatically, the status displayed depends on the renewal period that you selected from the Edit Certificate Settings for Tenant page. For example, if you selected the renewal period as 1 month, the Status field displays `Less than 1 month before expiry`. If you set the certificate to be manually renewed, the status displayed depends on the expiration notification time for the certificate (Status: `Less than 2 weeks before expiry`). If the expiration date of the certificate does not meet the expiration notification time yet, the Status field displays `–`. If the certificate has expired, the Status field displays `Expired`.
Expires on	Date and time at which the PKI certificate expires.
Renewal Method	Renewal method of the PKI certificate: Auto Manual

ON THIS PAGE

About the VPN Authentication Page

Tasks You Can Perform

Field Descriptions

Related Documentation