Introduction

Versa SD-WAN solution leverages an IKE-based IPsec control-plane connection between the SD-WAN controller and branch. This IPsec session can be authenticated with PSK or PKI. This document describes the procedure for PKI-based authentication, which requires a CA server to assign certificates. EJBCA is used as the CA server. PKI authentication can be leveraged during staging and post staging. Here, we describe the use-case for post staging.


Environment

EJBCA

  • Host OS: Ubuntu Server 16.04-3-LTS (default, native installation that is dedicated for EJBCA)
  • Application Server: JBOSS EAP 6.4.0
  • EJBCA: ejbca_ce_6.5.0.5
  • FlexVNF: 16.1R1S3.1

Installing EJBCA

Install EJBCA as describe in this document. For step 5 in the document, ensure that the ejbca.properties.sampe file is copied to ejbca.properties and that the jboss appserver.home is correctly defined.

After successfully installing EJBCA, you can start the CA by typing from the EJBCA home directory, ./jboss-eap-6.4/bin/standalone.sh

Every time the server boots, start it manually. If you have installed the certificate in your browser, launch this URL.

Configuring EJBCA

1. Add a CA.

2. Configure the CA.



3. Add and configure a certificate profile.


5. Add End Entity Profile under RA functions and ensure that all the field values are correct.

6. Configure a CMP.

You can add an end-entry for each branch and the controller, whose entries are identically configured.

For testing, a certificate can only be used once. After an end-entity has been configured, its status is New. Only certificates in this status can be fetched by FlexVNF with the status changing to Generated. Such certificates cannot be fetched from the FlexVNF again. Edit this certificate and change the status to New if you need FlexVNF to fetch it again.

Note that in normal usage, the certificate is fetched from the CA only once. After it is fetched, it is stored in FlexVNF TMP chip permanently.

Configuring FlexVNF for fetching certificates

SD-WAN controller

1. In the Appliance view, go to Configuration > Objects & Connectors > Connectors > Certificate Manager. Make sure you select the correct organization for which you want to configure PKI.

2. Configure the server.

The interface name specified here is the interface from where this FlexVNF controller has IP reachability to the CA server. In this setup, the CA server is on the Internet and VNI-0/2.0 is the WAN interface for the Internet in the controller.


3. Configure the request.


4. Choose the certificate name. Common Name and Email ID should match with what was configured for this device certificate in the CA. 


5. Choose the key name. Since the FlexVNF controller connects to the CA using PSK, specify the shared key. This key should match the password in the End Entity of the controller certificate in the CA.


With this configuration, the controller should be able to fetch the certificate from the CA. On the FlexVNF CLI, you can verify whether the controller has fetched the certificate. Because the controller is multi-tenant, the command to verify this is under orgs org-services.

admin@controller1-cli> show orgs org-services customer2 crypto pki certificates 
crypto pki certificates controller1cert
 serial-number 2cd41b15939b7e8c
 common-name   controller1.versa-networks.com
 alt-name      email:controller1@versa-networks.com
 priv-key      controller1key
 ca            VersaDemoCA
 ca-cert       NO
 not-before    Nov-6-2017
 not-after     Nov-6-2019
 pub-key       "AwEAAay/QvIYTnynGn8rBo4wUcrWels3RcvTKMtQzMmceHduR1DqM2eaa1bPDT8IQZ2oCTzc\nZkVfXAIz7PxU1iVPJ1yez8z7HL+UVtNt+ewUeVnBbsGyLY9RZTXruGORjZ/OyoOwUtcjtPfp\nxmNzJdApHjOPys8lJYT5Hs/K+ToN3ZSGZWJPaCLB91tMLzLp/PtN7e6cdjqOi0QEKL44djdL\n7jhxIGkTjJ4cEuos2rv+g0DefUgAq3ounRqViQlL6zXTdhkGmpTTzfmjfL33A/n3CbCfZNHa\nfoK4wdG6o2j3/ur+GpEIHY1nzftIvcT3EgSJNgqEdOdhbgJ/1NR+b1mzzn0="
 cert-data     "MIIDkzCCAnugAwIBAgIILNQbFZObfowwDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLVmVy\nc2FEZW1vQ0EwHhcNMTcxMTA2MDkxNTM0WhcNMTkxMTA2MDkxNTM0WjBPMScwJQYDVQQDDB5j\nb250cm9sbGVyMS52ZXJzYS1uZXR3b3Jrcy5jb20xCzAJBgNVBAsMAklUMRcwFQYDVQQKDA5W\nZXJzYSBOZXR3b3JrczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKy/QvIYTnyn\nGn8rBo4wUcrWels3RcvTKMtQzMmceHduR1DqM2eaa1bPDT8IQZ2oCTzcZkVfXAIz7PxU1iVP\nJ1yez8z7HL+UVtNt+ewUeVnBbsGyLY9RZTXruGORjZ/OyoOwUtcjtPfpxmNzJdApHjOPys8l\nJYT5Hs/K+ToN3ZSGZWJPaCLB91tMLzLp/PtN7e6cdjqOi0QEKL44djdL7jhxIGkTjJ4cEuos\n2rv+g0DefUgAq3ounRqViQlL6zXTdhkGmpTTzfmjfL33A/n3CbCfZNHafoK4wdG6o2j3/ur+\nGpEIHY1nzftIvcT3EgSJNgqEdOdhbgJ/1NR+b1mzzn0CAwEAAaOBqzCBqDAMBgNVHRMBAf8E\nAjAAMB8GA1UdIwQYMBaAFNJo+t9eksbTphmP8rAoG4eGDOdIMCkGA1UdEQQiMCCBHmNvbnRy\nb2xsZXIxQHZlcnNhLW5ldHdvcmtzLmNvbTAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH\nAwQwHQYDVR0OBBYEFL4DOuGzXcYl4j7WbHvQAn5sEVA/MA4GA1UdDwEB/wQEAwIF4DANBgkq\nhkiG9w0BAQsFAAOCAQEAQc1gyK3iflpvevj3oaB36K9lCYh5w+I7lgdviH+hQnkNqRacw+Ga\n12kGa4Q7NOnL73J7sa8sPZ1QDm+2wAR63WU1D6tZQQblTtLB/XAxnkpc/RltuZN7p0Yy9mCx\nKKdPGQ/hdb2pCswMsObdGyVzix0kJrXEESwYMkXKWu4iVR84AamjtOU5oP5Mc3rk+RpPZUn5\ntIrPazZDycb1eOr93MaMOkop7ZbMWjm5oDwdSTPcnwNEc4ki43lIRsr07n//dOhxvBz00Oa8\n7oB0zzkneFshP+TOUfLvErcumL1wJ5Cq/cT60FB4H1H7A62gh6OzpHJ/TIHyKjgn+FpO0Nc6\n+g=="
[ok][2017-11-07 01:05:12]
admin@controller1-cli>


The same needs to be done on the branch FlexVNF. The following is the CLI configuration.

admin@VM2-cli> show configuration | display set | match crypto 
set orgs org-services customer2 crypto pki cert-server-profiles EJBCA url http://192.168.2.141:8080/ejbca/publicweb/cmp/VersaDemoCMP
set orgs org-services customer2 crypto pki cert-server-profiles EJBCA ca-identity CN=VersaDemoCA
set orgs org-services customer2 crypto pki cert-server-profiles EJBCA server-type CMP
set orgs org-services customer2 crypto pki cert-server-profiles EJBCA ocsp hash-algorithm sha1
set orgs org-services customer2 crypto pki cert-server-profiles EJBCA ocsp response-cache-period 0
set orgs org-services customer2 crypto pki cert-server-profiles EJBCA ocsp monitor-interval 0
set orgs org-services customer2 crypto pki cert-server-profiles EJBCA routing-instances [ internet-Transport-VR ]
set orgs org-services customer2 crypto pki cert-signing-requests VM2cert cert-server EJBCA
set orgs org-services customer2 crypto pki cert-signing-requests VM2cert common-name vm2.versa-networks.com
set orgs org-services customer2 crypto pki cert-signing-requests VM2cert email-id vm2@versa-networks.com
set orgs org-services customer2 crypto pki cert-signing-requests VM2cert validity 365
set orgs org-services customer2 crypto pki cert-signing-requests VM2cert private-key-size 2048
set orgs org-services customer2 crypto pki cert-signing-requests VM2cert private-key-name vm2key
set orgs org-services customer2 crypto pki cert-signing-requests VM2cert cert-domain system
set orgs org-services customer2 crypto pki cert-signing-requests VM2cert auto-renewal true
set orgs org-services customer2 crypto pki cert-signing-requests VM2cert cert-sign-req-auth auth-type csr-psk
set orgs org-services customer2 crypto pki cert-signing-requests VM2cert cert-sign-req-auth shared-key versa123
[ok][2017-11-08 23:54:16]
admin@VM2-cli>

In this example, VM2 is a single tenant, so cert-domain is set to the system (it was tenant for the controller). Because VM2 is a single tenant, the command to verify the certificate loaded is different.

admin@VM2-cli> show crypto pki certificates 
crypto pki certificates VM2cert
 serial-number 2911547da35f8d39
 common-name   vm2.versa-networks.com
 alt-name      email:vm2@versa-networks.com
 priv-key      vm2key
 ca            VersaDemoCA
 ca-cert       NO
 not-before    Nov-6-2017
 not-after     Nov-6-2019
 pub-key       "AwEAAdxTvKRiuh6fwgYneZ8arWeOwAuQIltZ4MP7zU9BP+zJj677ra0v44P4olKBVvDJ3IgA\nreMnN3CCfsZLoeg8qCh8gFLNHPMjf4APjyG09C8AJVqjd5oAF7alj7y0ZG/op6a5mBkzAz4l\nfjbUvKmEMpQOlD1KU9Bklrumz+EhS/dTihLil9A9hjCoecCh057j0AfXDZkPQBuRiKuKeRCF\nAnvcXpITQuGkWclP+fv651K1l6XQpF5QHUA7GLUKbagmX+bMrhYTvE3U6qKoGx9bLID1jmnz\n16E5/23149pGlxsfE64XkN/1lqn2VuWJOzSkCxxzCVARe3QjPhPGwJe6q5s="
 cert-data     "MIIDgzCCAmugAwIBAgIIKRFUfaNfjTkwDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLVmVy\nc2FEZW1vQ0EwHhcNMTcxMTA2MDkxMTE4WhcNMTkxMTA2MDkxMTE4WjBHMR8wHQYDVQQDDBZ2\nbTIudmVyc2EtbmV0d29ya3MuY29tMQswCQYDVQQLDAJJVDEXMBUGA1UECgwOVmVyc2EgTmV0\nd29ya3MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcU7ykYroen8IGJ3mfGq1n\njsALkCJbWeDD+81PQT/syY+u+62tL+OD+KJSgVbwydyIAK3jJzdwgn7GS6HoPKgofIBSzRzz\nI3+AD48htPQvACVao3eaABe2pY+8tGRv6KemuZgZMwM+JX421LyphDKUDpQ9SlPQZJa7ps/h\nIUv3U4oS4pfQPYYwqHnAodOe49AH1w2ZD0AbkYirinkQhQJ73F6SE0LhpFnJT/n7+udStZel\n0KReUB1AOxi1Cm2oJl/mzK4WE7xN1OqiqBsfWyyA9Y5p89ehOf9t9ePaRpcbHxOuF5Df9Zap\n9lbliTs0pAsccwlQ


Make sure your certificate looks similar and that all the fields are populated similar to this example.

Configuring FlexVNF to use PKI for IPSEC

1. Go to Services > IPsec > VPN Profiles in the Appliance view. We assume that IPsec is configured through workflows, which defaults to PSK authentication. 


2. Click on the VPN profile to edit this configuration. In the Edit IPsec VPN screen, select IKE, and enter the required values in the highlighted fields.

IKE configuration for controller (which is multi-tenant)

IKE configuration for branch (which is single tenant)


NOTE: Certificate Name is the name you specify in the Add Request screen in the Certificate Management menu. You can also find this Certificate Name in the CLI output above.


NOTE: CA Chain is the name you specify in the Add Server screen in the Certificate Management menu. The CLI output of the modified VPN profile for VM2 is given below.

admin@VM2-cli> show configuration | display set | match vpn-profile
set orgs org-services customer2 ipsec vpn-profile controller1-Profile vpn-type branch-sdwan
set orgs org-services customer2 ipsec vpn-profile controller1-Profile local-auth-info
set orgs org-services customer2 ipsec vpn-profile controller1-Profile local-auth-info auth-type certificate
set orgs org-services customer2 ipsec vpn-profile controller1-Profile local-auth-info cert-name VM2cert
set orgs org-services customer2 ipsec vpn-profile controller1-Profile local-auth-info ca-chain EJBCA
set orgs org-services customer2 ipsec vpn-profile controller1-Profile local-auth-info cert-domain system
set orgs org-services customer2 ipsec vpn-profile controller1-Profile local
set orgs org-services customer2 ipsec vpn-profile controller1-Profile local interface-name tvi-0/6.0
set orgs org-services customer2 ipsec vpn-profile controller1-Profile routing-instance customer2-Control-VR
set orgs org-services customer2 ipsec vpn-profile controller1-Profile tunnel-routing-instance customer2-Control-VR
set orgs org-services customer2 ipsec vpn-profile controller1-Profile tunnel-initiate automatic
set orgs org-services customer2 ipsec vpn-profile controller1-Profile ipsec fragmentation pre-fragmentation
set orgs org-services customer2 ipsec vpn-profile controller1-Profile ipsec force-nat-t disable
set orgs org-services customer2 ipsec vpn-profile controller1-Profile ipsec transform esp-aes128-sha1
set orgs org-services customer2 ipsec vpn-profile controller1-Profile ipsec mode tunnel
set orgs org-services customer2 ipsec vpn-profile controller1-Profile ipsec pfs-group mod-none
set orgs org-services customer2 ipsec vpn-profile controller1-Profile ipsec anti-replay enable
set orgs org-services customer2 ipsec vpn-profile controller1-Profile ipsec life duration 28800
set orgs org-services customer2 ipsec vpn-profile controller1-Profile ipsec keepalive-timeout 10
set orgs org-services customer2 ipsec vpn-profile controller1-Profile ike group mod19
set orgs org-services customer2 ipsec vpn-profile controller1-Profile ike lifetime 28800
set orgs org-services customer2 ipsec vpn-profile controller1-Profile ike dpd-timeout 10
set orgs org-services customer2 ipsec vpn-profile controller1-Profile peer-auth-info
set orgs org-services customer2 ipsec vpn-profile controller1-Profile peer-auth-info auth-type certificate
set orgs org-services customer2 ipsec vpn-profile controller1-Profile peer-auth-info ca-chain EJBCA
set orgs org-services customer2 ipsec vpn-profile controller1-Profile peer
set orgs org-services customer2 ipsec vpn-profile controller1-Profile peer address [ 10.3.0.1 ]
set orgs org-services customer2 ipsec vpn-profile controller1-Profile tunnel-interface ptvi3
set orgs org-services customer2 ipsec vpn-profile controller1-Profile revocation-check none
[ok][2017-11-07 01:23:25]
admin@VM2-cli>


Verifying IPsec tunnel establishment

With this configuration, IPsec control-plane for customer2 organization should make a branch-controller connection using PKI authentication. You can use the usual CLI commands to verify the correct operation of the IPSEC tunnel establishment.

admin@VM2-cli> show orgs org-services customer2 ipsec vpn-profile controller1-Profile ike history               
Local Gateway: 10.3.0.104      Remote Gateway: 10.3.0.1
  Last Known State        : Active
  Last State Timestamp    : 2017-11-08T23:47:46.70318-08:00
  Event History: 
   0. Event        : IKE Done
      Timestamp    : 2017-11-08T23:47:46.703192-08:00
      Role         : initiator
      Inbound SPI  : 0xe14b27a9c4930002 
      Outbound SPI : 0x97636ac15c5e0002 
[ok][2017-11-09 00:05:21]
admin@VM2-cli>

admin@VM2-cli> show orgs org-services customer2 ipsec vpn-profile controller1-Profile ike security-associations detail

  Tunnel-Id: 10,  VSN : 0
  IKE Version: v2, Type: branch-sdwan
    Authentication: hmac-sha1-96, Encryption: aes128-cbc, DH Group: mod19
    Life Time: 28800 seconds, Remaining Life Time: 27836 seconds
  Local  Gateway: 10.3.0.104
    Auth Type: certificate, ID Type: email, ID String: vm2@versa-networks.com
    SPI: 0xe14b27a9c4930002
  Remote Gateway: 10.3.0.1
    Auth Type: certificate, ID Type: email,  ID String: controller1@versa-networks.com
    SPI: 0x97636ac15c5e0002
[ok][2017-11-09 00:03:50]
admin@VM2-cli>


The control plane session should be UP.

admin@VM2-cli> show interfaces br
NAME         MAC                OPER  ADMIN  TENANT  VRF                    IP                  
------------------------------------------------------------------------------------------------
eth-0/0      00:0c:29:05:20:fd  up    up     0       global                 192.168.2.164/24    
ptvi3        n/a                up    up     2       customer2-Control-VR   10.3.64.1/32        
tvi-0/6      n/a                up    up     -       -                                          
tvi-0/6.0    n/a                up    up     2       customer2-Control-VR   10.3.0.104/32       
tvi-0/602    n/a                up    up     -       -                                          
tvi-0/602.0  n/a                up    up     2       internet-Transport-VR  169.254.0.2/31      
tvi-0/603    n/a                up    up     -       -                                          
tvi-0/603.0  n/a                up    up     2       customer2-LAN-VR       169.254.0.3/31      
tvi-0/7      n/a                up    up     -       -                                          
tvi-0/7.0    n/a                up    up     2       customer2-Control-VR   10.3.64.104/32      
vni-0/0      00:0c:29:05:20:1b  up    up     -       -                                          
vni-0/0.0    00:0c:29:05:20:1b  up    up     2       mpls-Transport-VR      192.168.160.164/24  
vni-0/1      00:0c:29:05:20:07  up    up     -       -                                          
vni-0/1.0    00:0c:29:05:20:07  up    up     2       internet-Transport-VR  192.168.2.4/24      
vni-0/2      00:0c:29:05:20:25  up    up     -       -                                          
vni-0/2.0    00:0c:29:05:20:25  up    up     2       customer2-LAN-VR       172.2.164.100/24    

[ok][2017-11-09 00:06:32]
admin@VM2-cli>


PKI certificate management

Once the certificate management is configured on FlexVNF, the system automatically fetches the certificate from the CA. This happens only if the certificate is in the NEW state. After it is fetched, it enters the GENERATED state, which indicates it cannot be reused.


1. View the presence of the certificate.

admin@controller1-cli> show orgs org-services customer1 crypto pki certificates 
crypto pki certificates controller1cert
 serial-number 635b283330d60cfb
 common-name   controller1.versa-networks.com
 alt-name      email:controller1@versa-networks.com
 priv-key      controller1key
 ca            VersaDemoCA
 ca-cert       NO
 not-before    Nov-12-2017
 not-after     Nov-12-2019
 pub-key       "AwEAAff8GeiRS9L2CYitWV2R/3zYxy/zjY8ZlMviOwLynjPra9Uezyf7El2YGY4W0ITx6RRq\no8IRm0h9t0+uTE597/DUq54v7O93EyirQaOu0iHHuHT8CUUmW32wH8qyKpp8sapHcUkS6nLE\neYCqXmk717pnDGqlUMrUIk7hsZsjg7gqapCZ6cLAdxhg0dsSd81CO2lUUzPYbBTnG3/ofUXe\npw49IPvLbXguPjh7XFpTGbexXaF9j2ysxwdZt6eF04p082MFnisdCmNb6E4jeNOKMLAgnn9x\n2r1NCIwPUzIsvRSTk8Qm4T6swgOHOjVsidWz3WYkTZ9iapG18+ocp1ZU3q0="
 cert-data     "MIIDkzCCAnugAwIBAgIIY1soMzDWDPswDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLVmVy\nc2FEZW1vQ0EwHhcNMTcxMTEyMTE0OTM2WhcNMTkxMTEyMTE0OTM2WjBPMScwJQYDVQQDDB5j\nb250cm9sbGVyMS52ZXJzYS1uZXR3b3Jrcy5jb20xCzAJBgNVBAsMAklUMRcwFQYDVQQKDA5W\nZXJzYSBOZXR3b3JrczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPf8GeiRS9L2\nCYitWV2R/3zYxy/zjY8ZlMviOwLynjPra9Uezyf7El2YGY4W0ITx6RRqo8IRm0h9t0+uTE59\n7/DUq54v7O93EyirQaOu0iHHuHT8CUUmW32wH8qyKpp8sapHcUkS6nLEeYCqXmk717pnDGql\nUMrUIk7hsZsjg7gqapCZ6cLAdxhg0dsSd81CO2lUUzPYbBTnG3/ofUXepw49IPvLbXguPjh7\nXFpTGbexXaF9j2ysxwdZt6eF04p082MFnisdCmNb6E4jeNOKMLAgnn9x2r1NCIwPUzIsvRST\nk8Qm4T6swgOHOjVsidWz3WYkTZ9iapG18+ocp1ZU3q0CAwEAAaOBqzCBqDAMBgNVHRMBAf8E\nAjAAMB8GA1UdIwQYMBaAFNJo+t9eksbTphmP8rAoG4eGDOdIMCkGA1UdEQQiMCCBHmNvbnRy\nb2xsZXIxQHZlcnNhLW5ldHdvcmtzLmNvbTAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH\nAwQwHQYDVR0OBBYEFEti5TOcIDHwnB5raK3y6bm5GwGEMA4GA1UdDwEB/wQEAwIF4DANBgkq\nhkiG9w0BAQsFAAOCAQEAOByZA3z5zAfXWXwlkovS5t/wKui8j6R81tLqz10hc/142BYOMFJ/\ncodEovemjD/IPVF7F6WkazCSJVrxNo0X3L2Bqt3j573szP/3uSptEA4Z8sIUAsyCycOhdhcQ\n4Mw4PjqYBdX80vAnPZqfD3HZrAHcOU6EwhiFlqo8F214YYguxQmd4JKgc7+x3iTdFlsxzGeb\nYPU7nIPiWi94ORjO0CECSZY6cireONdON83HgIDfZ3k3Lvq9BaX6YfQge3US/OaXWp4E4PxA\n2Bcc6Qm2jJnPUAGbFjfVQPF4/elP7422ICzaWuGkKsyvOUWlexUbVy2tYmS+lbfvFI/3NO/J\nRw=="
[ok][2017-11-12 04:00:24]


2. Delete the certificate from FlexVNF (This example is for a multi-tenant configuration. Single tenant config do NOT have the “orgs org-services” parameter):

admin@controller1-cli> request orgs org-services customer1 crypto pki certificate delete name controller1cert 
Certificate deleted. Deleted associated private-key controller1key.
[ok][2017-11-12 04:02:02]
admin@controller1-cli> show orgs org-services customer1 crypto pki certificates                              
% No entries found.
[ok][2017-11-12 04:02:06]


3. Show the root certificate.

admin@controller1-cli> show orgs org-services customer1 crypto pki ca-chains 
crypto pki ca-chains EJBCA
 ca-chain-certificates 5db16229767ef9e8281d227897b9443f
  ca-name      VersaDemoCA
  ca-cert-data "MIIDETCCAfmgAwIBAgIIEUeIFp2OI1swDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLVmVy\nc2FEZW1vQ0EwHhcNMTcxMTAzMDgyOTA5WhcNMjAwMTAxMDAwMDAwWjAWMRQwEgYDVQQDDAtW\nZXJzYURlbW9DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANHQoiQYPPylS5+u\nICkxCSB2MeWjj9UuSdT3e51IVgJVRPQB51YLevqpTh6cfBAzSm/0AmiMWn+PpOG0DpfX+Lut\n7iygSaqpIzwAHqp5+lvP6pM7nE7LVzeVJtRTqisEWXS0sq2sZ8HeB1ulUvQzzqmzy9Q7fdj3\nRCCLI9S76yTJsvzc34Q6HNtYwiV15gDu1ENe25cCzg4HEkOn4zSXcrv2TbusTxKsJo1XBeQl\nxhLX1rKmm5dS23OcbjziXCoXh25Y1lh6qcBUnxvbbMu+JIkOuqwAdGqsvKbHxVK0i82ozYY1\nHS4k/jedHMiKJZfXvkbVbH+Nf+N30xpES2GPxO8CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB\n/zAfBgNVHSMEGDAWgBTSaPrfXpLG06YZj/KwKBuHhgznSDAdBgNVHQ4EFgQU0mj6316SxtOm\nGY/ysCgbh4YM50gwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQAXfsY5yHXp\nUT+iCTuR+MaGHT+spfr17wsdnuTCc/iB9+pcJ2vMfIb1dbbsN0VQXcvElrX+hhhOGOzfVyG5\n9/EVvsqXuJUt7aU0NZ3Nrd2rO55KFw5nnLTcATRWoG7kzMZPs/EI8V3L80x8wQ3c9oMtEkdT\nrT1YczKLlvt0YpVPolwf1jNqrSZSzWNblrc/bKbNnZqalFnC0Ti9LzKrid5GZLGLK2q6CcZp\nB+AHVTBg3VItxAjjp5DtAf631v80AR3WBGbapjBWydiNtUFZBx+CMV6gTmVa+pmbNMWRTtMa\neyTFilgU2OsX2MIq4q5AgV3uYhIMbgQUkr0A728UyPcM"
[ok][2017-11-12 04:02:18]
admin@controller1-cli> 


4. Delete the root certificate.

admin@controller1-cli> request orgs org-services customer1 crypto pki ca-chain delete name EJBCA 
ca_chain deleted
[ok][2017-11-12 04:02:35]
admin@controller1-cli> show orgs org-services customer1 crypto pki ca-chains                    
% No entries found.
[ok][2017-11-12 04:02:37]


5. Fetch a new certificate from the CA.

admin@controller1-cli> request orgs org-services customer1 crypto pki certificate cmp-enroll name controller1cert
[ok][2017-11-12 04:04:21]
admin@controller1-cli> show orgs org-services customer1 crypto pki certificates                                  
crypto pki certificates controller1cert
 serial-number 2f608c7de97b5f5f
 common-name   controller1.versa-networks.com
 alt-name      email:controller1@versa-networks.com
 priv-key      controller1key
 ca            VersaDemoCA
 ca-cert       NO
 not-before    Nov-12-2017
 not-after     Nov-12-2019
 pub-key       "AwEAAcV8c1dPjafdkqJXaV1ux0fEvqaFZdUJshJrrFWdxF19pb5x8FLtTNR0m0ZbDSkQpnwH\nD+qV3n5NLayioPXN3Zw+1GFfRa+nDblnDyLF87qNDKsw8gj57CIpGNq1cysGdM3G5PLv3KrJ\ns9omaeMcZPNH2pG9NENSrbprQdvAPyApRGfNgMJXfJ6o90BVvjab9eXmZCFuT79zhKfyvy44\n87exinA5OUouEhf7YszF4QfTYPmKG4EJ4ZYMvErBbA0w5BYCK5BaQ4D4HFlfjPQfLiLiBma/\n0xypoAIf/C6ZPeD1b5vZq1FTiMyQnoCrIiUssJx0d2DLe3oZgCZMKMRqbxM="
cert-data     "MIIDkzCCAnugAwIBAgIIL2CMfel7X18wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLVmVy\nc2FEZW1vQ0EwHhcNMTcxMTEyMTE1NDE3WhcNMTkxMTEyMTE1NDE3WjBPMScwJQYDVQQDDB5j\nb250cm9sbGVyMS52ZXJzYS1uZXR3b3Jrcy5jb20xCzAJBgNVBAsMAklUMRcwFQYDVQQKDA5W\nZXJzYSBOZXR3b3JrczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMV8c1dPjafd\nkqJXaV1ux0fEvqaFZdUJshJrrFWdxF19pb5x8FLtTNR0m0ZbDSkQpnwHD+qV3n5NLayioPXN\n3Zw+1GFfRa+nDblnDyLF87qNDKsw8gj57CIpGNq1cysGdM3G5PLv3KrJs9omaeMcZPNH2pG9\nNENSrbprQdvAPyApRGfNgMJXfJ6o90BVvjab9eXmZCFuT79zhKfyvy4487exinA5OUouEhf7\nYszF4QfTYPmKG4EJ4ZYMvErBbA0w5BYCK5BaQ4D4HFlfjPQfLiLiBma/0xypoAIf/C6ZPeD1\nb5vZq1FTiMyQnoCrIiUssJx0d2DLe3oZgCZMKMRqbxMCAwEAAaOBqzCBqDAMBgNVHRMBAf8E\nAjAAMB8GA1UdIwQYMBaAFNJo+t9eksbTphmP8rAoG4eGDOdIMCkGA1UdEQQiMCCBHmNvbnRy\nb2xsZXIxQHZlcnNhLW5ldHdvcmtzLmNvbTAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH\nAwQwHQYDVR0OBBYEFCw4jzZ6zX/8Ntx76qdGWqG0g0WkMA4GA1UdDwEB/wQEAwIF4DANBgkq\nhkiG9w0BAQsFAAOCAQEAVTgUMdlLMKhZYDXmdDbfj8JrxjPbwRQUqoPC9M+PNM+8PA6of2yg\nHIRcKNFZSeO1XisZ27863z0DYDb9EXJlzqk3mXrYZmjAycVtqMyLlHO6DtB5MRf5O/6p5gTj\npkwi8LXjnmhKMPnvkIWUfmBRuP20P66EmQRPcLKt/XcqJJQhP6QmDsfwEpq9rvRGK7gYF1SS\nkhiD36DssOJJHEHWP9UoMF4F1lwJcajR8ZMDqV8o48artSpcMR5IR6Igb2OnRYG250MUUZIi\nRkfYvWGrzuWZP4bzlQG4iI+8R3FcpbeXhfzBMVccctygDn3GyWl4LwK4LqaH7fJ5EBkXwe7N\nZg=="
[ok][2017-11-12 04:04:24]
admin@controller1-cli> 
admin@controller1-cli> 


This automatically fetches the root certificate.

admin@controller1-cli> show orgs org-services customer1 crypto pki ca-chains   
crypto pki ca-chains EJBCA
 ca-chain-certificates 5db16229767ef9e8281d227897b9443f
  ca-name      VersaDemoCA
  ca-cert-data "MIIDETCCAfmgAwIBAgIIEUeIFp2OI1swDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLVmVy\nc2FEZW1vQ0EwHhcNMTcxMTAzMDgyOTA5WhcNMjAwMTAxMDAwMDAwWjAWMRQwEgYDVQQDDAtW\nZXJzYURlbW9DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANHQoiQYPPylS5+u\nICkxCSB2MeWjj9UuSdT3e51IVgJVRPQB51YLevqpTh6cfBAzSm/0AmiMWn+PpOG0DpfX+Lut\n7iygSaqpIzwAHqp5+lvP6pM7nE7LVzeVJtRTqisEWXS0sq2sZ8HeB1ulUvQzzqmzy9Q7fdj3\nRCCLI9S76yTJsvzc34Q6HNtYwiV15gDu1ENe25cCzg4HEkOn4zSXcrv2TbusTxKsJo1XBeQl\nxhLX1rKmm5dS23OcbjziXCoXh25Y1lh6qcBUnxvbbMu+JIkOuqwAdGqsvKbHxVK0i82ozYY1\nHS4k/jedHMiKJZfXvkbVbH+Nf+N30xpES2GPxO8CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB\n/zAfBgNVHSMEGDAWgBTSaPrfXpLG06YZj/KwKBuHhgznSDAdBgNVHQ4EFgQU0mj6316SxtOm\nGY/ysCgbh4YM50gwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQAXfsY5yHXp\nUT+iCTuR+MaGHT+spfr17wsdnuTCc/iB9+pcJ2vMfIb1dbbsN0VQXcvElrX+hhhOGOzfVyG5\n9/EVvsqXuJUt7aU0NZ3Nrd2rO55KFw5nnLTcATRWoG7kzMZPs/EI8V3L80x8wQ3c9oMtEkdT\nrT1YczKLlvt0YpVPolwf1jNqrSZSzWNblrc/bKbNnZqalFnC0Ti9LzKrid5GZLGLK2q6CcZp\nB+AHVTBg3VItxAjjp5DtAf631v80AR3WBGbapjBWydiNtUFZBx+CMV6gTmVa+pmbNMWRTtMa\neyTFilgU2OsX2MIq4q5AgV3uYhIMbgQUkr0A728UyPcM"
[ok][2017-11-12 04:06:34]
admin@controller1-cli>