THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision | Publish Date | Comments |
---|---|---|
2.0 |
24-Feb-22 |
Updated the Problem Description, Background, Problem Symptom, and Workaround/Solution Sections |
1.0 |
07-Jan-22 |
Initial Release |
Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
---|---|---|---|---|
NON-IOS |
Emergency Responder Updates |
CER 12.0 |
12.0(1) SU1, 12.0(1) SU2 |
|
NON-IOS |
Emergency Responder Updates |
CER 12.5 |
12.5(1), 12.5(1)SU1, 12.5(1)SU2, 12.5(1)SU3, 12.5(1)SU4, 12.5(1a) |
|
NON-IOS |
Emergency Responder Updates |
14 |
14 |
Defect ID | Headline |
---|---|
CSCvx00538 | QuoVadis root CA decommission on Cisco Emergency Responder |
For affected versions of the Cisco Emergency Responder (CER) software, some Secure Sockets Layer (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before March 31, 2021 cannot be renewed from this CA. Once those certificates expire on devices or are removed from the Cisco cloud servers, functions such as Smart Licensing will fail to establish secure connections to Cisco and might not operate properly.
The QuoVadis Root CA 2 Public Key Infrastructure (PKI) used by CER software to issue SSL certificates is subject to an industry-wide issue that affects revocation abilities. Due to this issue, no new QuoVadis Root CA 2 certificates will be issued or renewed by Cisco after March 31, 2021. This affects certificate renewals on devices, Cisco cloud servers, and third-party services.
Certificates issued before the QuoVadis Root CA 2 was decommissioned will continue to be valid. However, the certificates will not renew when they expire on either the device or the Cisco cloud server. This will cause functions such as Smart Licensing to fail to establish secure connections to Cisco cloud servers.
This table shows a summary of the QuoVadis Root CA 2 certificate expiration dates for affected Cisco services.
Cisco Cloud Server | QuoVadis Certificate Expiration Date | Affected Services |
---|---|---|
tools.cisco.com | February 5, 2022 | Smart Licensing |
Expiration of the QuoVadis Root CA 2 certificates affects these services with the associated symptoms.
Affected Services | Symptoms for Affected Services |
---|---|
Smart Licensing | Failure to connect to the server (Details are provided in this section) |
For CER, affected versions will be unable to connect to the Smart Licensing services hosted by Cisco. Smart licenses might fail entitlement and reflect an Out of Compliance status.
For CER, choose System > Licensing Manager in the administrator web interface in order to view the licensing status.
The features that use Smart Licensing will continue to function for 90 days after the last successful secure connection. Some Smart Licensing symptoms are:
The product instance was unable to renew license authorization due to a communication timeout. Ensure that the product instance can communicate with Smart Software Manager or your Smart Software Manager satellite. The Product Instance will continue attempting license authorization periodically until it succeeds, or authorization expires.
Enforced Mode will stop the phone tracking engine and the discovery of devices from Cisco Unified Communications Manager (CUCM) is blocked.
Note: Offline licensing, such as Permanent License Reservation (PLR) and Specific License Reservation (SLR), is not affected by the certificate change on the Smart Licensing server.
For additional information, refer to the Cisco Smart Licensing Guide.
Cisco has migrated from the QuoVadis Root CA 2 to the IdenTrust Commercial Root CA 1 for SSL certificates. Cisco recommends these two options to add the new IdenTrust Commercial Root CA 1 certificate to CER.
Software Upgrade
For CER-based devices, upgrade to one of the CER software versions shown in the table in order to resolve the root CA certificate issue for affected platforms.
Release Version | Fixed Version |
---|---|
CER12.0(1) SU1, 12.0(1) SU2 12.5(1), 12.5(1a), 12.5(1)SU1, 12.5(1)SU2, 12.5(1)SU3, 12.5(1)SU4, |
CER 12.5(1)SU5 CER 14SU1 |
If the CER version is 12.5.1SU5 or 14SU1 or later, no action is needed as the new certificate is provided natively.
Manual Certificate Update
For all other CER 12.0, 12.5, and 14 versions, Cisco recommends to install the COP file on the CER Publisher to add the new IdenTrust Commercial Root CA 1 certificate to CER.
Note: Existing certificates issued from the HydrantID SSL ICA G3 do not need replacement. They are normal certificates issued from the current SSL certificate service and can be used until expiration.
Cisco has created a web page to provide customers and partners with additional information on this issue. Consult the QuoVadis Root CA 2 Decommission page for a full list of products affected, associated Field Notices, and frequently asked questions.
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
Unleash the Power of TAC's Virtual Assistance