Symptom

Normal IOS XE can install root certificate with "crypto pki certificate chain TP" command but sdwan controller mode doesn't support it.

Conditions

Console output: MAP-E-TEST(config)# crypto pki certificate chain TP -------------------------------------------^ syntax error: element does not exist MAP-E-TEST(config)#

Workaround

1.Check the root certificate fingerprint with openssl command on your laptop. Desktop % openssl x509 -in ./test.cer -fingerprint -noout | awk -F "=" '{print $2}' | sed 's/://g' AD7E1C28B064EF8F6003402014C3D0E3370EB58A 2.SCP upload the root certificate into cEdge bootflash: MAP-E-TEST#dir bootflash:TP.ca Directory of bootflash:/TP.ca 61 -rw- 1465 Oct 15 2022 01:07:18 +09:00 TP.ca 5173313536 bytes total (3145449472 bytes free) 3.Send below command to create new PKI trustpoint. MAP-E-TEST#config-transaction MAP-E-TEST(config)# crypto pki trustpoint TP MAP-E-TEST(ca-trustpoint)# enrollment url bootflash: MAP-E-TEST(ca-trustpoint)# revocation-check none MAP-E-TEST(ca-trustpoint)# fingerprint AD7E1C28B064EF8F6003402014C3D0E3370EB58A MAP-E-TEST(ca-trustpoint)# commit 4. Check the trustpoint status with below command MAP-E-TEST# MAP-E-TEST#crypto pki authenticate TP Reading file from bootflash:TP.ca Certificate has the following attributes: Fingerprint MD5: 324A4BBB C863699B BE749AC6 DD1D4624 Fingerprint SHA1: AD7E1C28 B064EF8F 60034020 14C3D0E3 370EB58A Trustpoint Fingerprint: AD7E1C28 B064EF8F 60034020 14C3D0E3 370EB58A Certificate validated - fingerprints matched. Trustpoint CA certificate accepted. MAP-E-TEST# MAP-E-TEST#sh crypto pki trustpoints TP Trustpoint TP: Subject Name: ou=Starfield Class 2 Certification Authority o=Starfield Technologies Inc. c=US Serial Number (hex): 00 Certificate configured. IFS URL: bootflash: MAP-E-TEST#

Further Problem Description