Field Notice: FN - 72111 - Cisco Identity Services Engine – QuoVadis Root Certificate Decommission Might Affect Posture, Profiler Feed, Client Provisioning, Support Diagnostics Connector, and Smart Licensing Functionality - Software Upgrade Recommended
Available Languages
Notice
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
2.0 |
22-Feb-22 |
Updated the Problem Description, Background, Problem Symptom, and Workaround/Solution Sections |
1.2 |
16-Dec-21 |
Updated the Workaround/Solution Section |
1.1 |
15-Dec-21 |
Updated the Workaround/Solution Section |
1.0 |
04-Mar-21 |
Initial Release |
Products Affected
| Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
|---|---|---|---|---|
NON-IOS |
Identity Services Engine System Software |
1 |
1.0, 1.0 MR, 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2, 1.2.1, 1.3, 1.4 |
All versions prior to and including ISE 3.0 P2 are affected. |
NON-IOS |
Identity Services Engine System Software |
2 |
2.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.6.0, 2.7.0 |
All versions prior to and including ISE 3.0 P2 are affected. |
NON-IOS |
Identity Services Engine System Software |
3 |
3.0.0 |
All versions prior to and including ISE 3.0 P2 are affected. |
Defect Information
| Defect ID | Headline |
|---|---|
| CSCvx23205 | Add IdenTrust Commercial Root CA 1 Certificate to ISE truststore |
| CSCvx50752 | Add IdenTrust Commercial Root CA 1 Certificate for Smart Call Home and Smart Licensing |
| CSCvx51738 | Add IdenTrust Commercial Root CA 1 Certificate for Network Success Diagnostics |
Problem Description
For affected versions of the Cisco Identity Services Engine (ISE) software, some Secure Sockets Layer (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before March 31, 2021 cannot be renewed from this CA. Once those certificates expire on devices or are removed from the Cisco cloud servers, functions such as Posture, Profiler Feed, Client Provisioning Updates, Cisco Support Diagnostics Connector, and Smart Licensing will fail to establish secure connections to Cisco and might not operate properly.
Background
The QuoVadis Root CA 2 Public Key Infrastructure (PKI) used by the ISE software to issue SSL certificates is subject to an industry-wide issue that affects revocation abilities. Due to this issue, no new QuoVadis Root CA 2 certificates will be issued or renewed by Cisco after March 31, 2021. This affects certificate renewals on devices, Cisco cloud servers, and third-party services.
Certificates issued before the QuoVadis Root CA 2 was decommissioned will continue to be valid. However, the certificates will not renew when they expire on either the device or the Cisco cloud server. This will cause functions such as Posture, Profiler Feed, Client Provisioning Updates, Cisco Support Diagnostics Connector, and Smart Licensing to fail to establish secure connections to Cisco cloud servers.
This table shows a summary of the QuoVadis Root CA 2 certificate expiration dates for affected Cisco services.
| Cisco Cloud Server | QuoVadis Certificate Expiration Date | Affected Services |
|---|---|---|
| tools.cisco.com | February 5, 2022 |
|
| smartreceiver.cisco.com | January 26, 2023 |
|
| iseservice.cisco.com | January 7, 2022 |
|
| ise.cisco.com | January 25, 2022 |
|
Problem Symptom
Expiration of the QuoVadis Root CA 2 certificates affects these services with the associated symptoms.
| Affected Services | Symptoms for Affected Services |
|---|---|
| Smart Licensing | Failure to connect to the server (Details are provided in this section) |
| Smart Call Home | Failure to connect to the server and the Call-Home HTTP request fails |
| Posture | Failure to connect to the server (Details are provided in this section) |
| Profiler Feed | Failure to connect to the server (Details are provided in this section) |
| Client Provisioning | Failure to connect to the server (Details are provided in this section) |
| Cisco Support Diagnostics Connector | Failure to connect to the server (Details are provided in this section) |
For ISE devices, affected devices will be unable to connect to the Smart Licensing, Smart Call Home, Posture, Profiler Feed, Client Provisioning Updates, and Cisco Support Diagnostics Connector services hosted by Cisco. Smart licenses might fail entitlement and reflect an Out of Compliance status.
The features that use Smart Licensing will continue to function for one year after the last successful secure connection. Some Smart Licensing symptoms are:
- The device might indicate a failure to communicate with the Smart Licensing server within 30 days from the last successful connection.
- The device will show the "Authorization Expired" state if there is no communication with the Smart Licensing server within 90 days.
- The device will show the "Unregistered" state if there is no communication with the Smart Licensing server after one year and the licensed features usage become suspended.
Note: Offline licensing, such as Permanent License Reservation (PLR) and Specific License Reservation (SLR), is not affected by the certificate change on the Smart Licensing server.
For additional information, refer to the Cisco Smart Licensing Guide and the Cisco Identity Services Engine Administrator Guide for your specific version of ISE software.
Error messages for the affected features will be displayed when the system has not been updated to the new root certificate. Examples of these messages are shown here:
Smart Licensing Registration Failure
Affected ISE versions will be unable to register with the Smart Licensing server hosted by tools.cisco.com under Administration > System > Licensing.
Posture Update Failure
Affected ISE versions will be unable to access the Posture Update Feed URL under Administration > System > Settings > Posture > Updates.
Profiler Feed Update Failure
Affected ISE versions will be unable to connect to the Profiler Feed Service under Administration > Feed Service > Profiler.
Client Provisioning Download Failure
Affected ISE versions will be unable to connect to the Client Provisioning feed under Policy > Policy Elements > Results > Client Provisioning > Resources.
Cisco Support Diagnostics Connector Configuration Failure
Affected ISE versions will be unable to enable "Cisco Support Diagnostics" under Administration > System > Settings > Network Success Diagnostics > Cisco Support Diagnostics.
Workaround/Solution
Cisco has migrated from the QuoVadis Root CA 2 to the IdenTrust Commercial Root CA 1 for SSL certificates. Cisco recommends these two options to add the new IdenTrust Commercial Root CA 1 certificate to ISE.
- Software Upgrade
- Manual Certificate Update
Software Upgrade
For ISE-based devices, upgrade to one of these ISE software versions in order to resolve the root CA certificate issue for affected platforms. This is the preferred solution method.
| Release Version | Fixed Version |
|---|---|
| ISE 2.4.0 | ISE 2.4 Patch 14 |
| ISE 2.6.0 | ISE 2.6 Patch 9 |
| ISE 2.7.0 | ISE 2.7 Patch 4 |
| ISE 3.0.0 | ISE 3.0 Patch 3 |
Manual Certificate Update
Cisco Support Diagnostics Connector and Smart Licensing
For Cisco Support Diagnostics Connector and Smart Licensing, there is no current method for manual certificate updates. Upgrade the ISE system software as mentioned in the Software Upgrade section. Note that the Cisco Support Diagnostics Connector feature only applies to ISE Release 2.7 and later.
Posture, Profiler Feed, and Client Provisioning Updates
In order to resolve this issue for Posture, Profiler Feed, and Client Provisioning Updates, complete these steps to install the new IdenTrust root certificate chain provided at Cisco.com and trust it for authentication of Cisco Services:
- Choose Administration > System > Certificates > Trusted Certificates and click Import.
- Browse and choose the IdenTrust.crt. Check the Trust for Authentication of Cisco Services check box and click Submit.
Service is restored for Posture, Profiler Feed, and Client Provisioning Updates.
In order to verify Posture Updates, choose Updates from the Posture option under Administration > System > Settings. In Posture Updates section, click Update Now. A successful message will display similar to the one in this screenshot:
In order to verify Profiler Feed Updates, choose the Profiler option under Administration > Feed Service. In the Profiler Feed Service Configuration section, click Update Now. A successful message will display similar to the one in this screenshot:
In order to verify Client Provisioning Updates, choose the Resources option under Policy > Policy Elements > Results > Client Provisioning.
For More Information
Cisco has created a web page to provide customers and partners with additional information on this issue. Consult the QuoVadis Root CA 2 Decommission page for a full list of products affected, associated Field Notices, and frequently asked questions.
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)
This Document Applies to These Products
Unleash the Power of TAC's Virtual Assistance