What is the typical certificate-based enrollment flow for vEdge devices?

Certificate-based enrollment for vEdge devices starts with a trusted bootstrap through vBond, which authenticates the new device and helps establish the correct path into the SD-WAN fabric. The device then exchanges a certificate with the certificate authority (often coordinated via vManage) to obtain a CA-signed certificate, and it verifies the trust chain by checking the root and intermediate certificates. Once identity and trust are established, the vEdge joins the fabric under vManage control, becoming an authenticated member of the SD-WAN overlay. This flow ensures each device has a unique identity and is trusted before participating, enabling secure mutual TLS, proper policy enforcement, and scalable security. Direct joins without certificates, or sharing a single certificate across all devices, would remove authentication and trust, making the fabric insecure and unscalable.