Field Notice: FN - 72217 - SUDI Certificate Expiration Might Impact Certain Encryption Functionality on Optical Products - Software Upgrade Recommended

Available Languages

Updated:July 28, 2022
Document ID:FN72217

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision Publish Date Comments
1.2
28-Jul-22
Updated the Workaround/Solution Section
1.1
13-Aug-21
Updated the Workaround/Solution Section
1.0
04-Aug-21
Initial Release

Products Affected

Affected Product ID Comments
15454-M-WSE-K9
15454-M-WSE-K9=
15454-M-WSE-L-K9
15454-M-WSE-L-K9=
NCS2K-MR-MXP-LIC=
NCS2K-400G-XP=
NCS2K-400GXP-L-K9=
NCS2K-400GXP-L-K9

Defect Information

Defect ID Headline
CSCvw25904 WSE SUDI 2099 and New SC alarm SUPPORT
CSCvw61564 SUDI 2099 support for MR-MXP
CSCvv68107 SUDI 2099 and new SC Alarm Support From LC

Problem Description

The Cisco Secure Unique Device Identifier (SUDI) certificate is valid until the year 2029 on a limited number of Cisco products. (See the Products Affected section for the list of products.) Any service that relies on a SUDI 2029 certificate that is deployed in the field with encryption turned on will not work after the certificate expires.

Background

The current SUDI certificate will expire ten years after the date of manufacture or in the year 2029, whichever date comes first.

Because of this, customers who have deployed encryption functionality on the WSE, MR-MXP, and 400G XP products that appear in the Products Affected section will observe that the functionality no longer works after ten years of operation or the year 2029.

The Network Convergence System (NCS) 2000 platform encryption-supported modules will be migrated to a new version of software for the adoption of SUDI 2099.

Problem Symptom

After ten years of use of the SUDI 2029 certificate, encryption functionality is disabled. Also, the SUDI certificate cannot be used for authentication purposes after the year 2029. This leads to a Service Creation Failure error.

This screenshot shows the standing condition "MIC cert is expired switch to LSC."

Note: A standing condition is raised when SUDI 2029 certification expires with Release 11.1.2 and SUDI 2099 certification is implemented.

conditions tab

Workaround/Solution

The solution is provided in Software Release 11.1.2, which provides a SUDI 2099 certificate that is valid for 99 years.

Cisco recommends for users to upgrade to Release 11.1.2, when they are ready to migrate, before any services are impacted based on the date of turnup of encryption services for the respective hardware modules.

Users who migrate to Release 11.1.2 will have to upgrade both endpoints of the link. For example, if the device on one end of the link runs Release 11.1.2 and the device on the other end runs a previous release, there is a possibility of a key exchange failure because of a SUDI Certificate update.

Note: Users can still use the SUDI 2029 certificate after the upgrade of the modules to Release 11.1.2. However, Cisco recommends that you use the latest SUDI certificate.

Additional Notes

Users might observe encryption failure on Manufacturer Installed Certificate (MIC) SUDI 2099 cards on NCS2K devices because of mismatched SUDI support files (CMCA.DER, CRCA.DER) in the SUDI certificate chain. The affected cards raise the standing alarms "KEY-EX-FAIL" and "Local-Cert-Chain-Verification-Failed" while in the problem state.

There is a workaround available to fix such MIC SUDI 2099 cards. Users who experience this issue should contact Cisco Technical Support for details and workaround instructions.

Additional Information

See these documents for more information on migration to Release 11.1.2:

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco