In the SD-WAN PKI, which entity issues the CA-signed certificates used by devices to join the fabric?

In SD-WAN PKI, devices prove their identity to join the fabric by presenting certificates that were signed by a trusted Certificate Authority. The process typically involves a device generating a certificate signing request (CSR) with its identity and public key, and a trusted CA signs that CSR to produce a CA-signed certificate. This signed certificate, along with the CA’s public root certificate installed on devices and controllers, establishes trust during the TLS-based enrollment and secure communication within the fabric. The signer is the Certificate Authority, not the device itself, and not the controller issuing all certificates by itself in general. The CA may be an internal entity managed within the SD-WAN environment or an external CA, but the key point is that the CA issues the CA-signed certificates used by devices to join the fabric.