Field Notice: FN74008 - Cisco DNA Center Root Certificate Expiration Causes Device Connections to Fail - Software Upgrade Recommended
Available Languages
Notice
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Products Affected
| Affected Software Product | Affected Release | Affected Release Number | Comments |
|---|---|---|---|
| DNA Center Software | 1 | 1.0, 1.1, 1.2, 1.2.12, 1.2.12.1, 1.2.12.2, 1.3, 1.3.0.3, 1.3.0.4, 1.3.0.5, 1.3.0.6, 1.3.0.7, 1.3.1.0, 1.3.1.2, 1.3.1.3, 1.3.1.4, 1.3.1.5, 1.3.1.6, 1.3.1.7, 1.3.2.0, 1.3.2.1, 1.3.3.0, 1.3.3.1, 1.3.3.3, 1.3.3.4, 1.3.3.5, 1.3.3.6, 1.3.3.7, 1.3.3.8, 1.3.3.9, 1.4.0.0 | |
| DNA Center Software | 2 | 2.1.1.0, 2.1.1.3, 2.1.2.0, 2.1.2.3, 2.1.2.4, 2.1.2.5, 2.1.2.6, 2.1.2.7, 2.1.2.8, 2.2.1.0 |
Defect Information
| Defect ID | Headline |
| CSCwa68646 | RootCA certificate rollover support needed for Cisco DNA Center |
Problem Description
In Cisco DNA Center releases prior to Release 2.2.2.0, the Public Key Infrastructure (PKI) root certificate expires five years after the product is initially installed. The expiration date is not reset when the software is upgraded and the root certificate is not automatically renewed when it expires. If the root certificate expires, Cisco DNA Center will fail to establish control connections to devices.
Background
Cisco DNA Center makes use of an internal PKI certificate authority (CA), configured as either a root or subordinate CA, to establish secure client connections to devices. The root certificate for this CA is generated by Cisco DNA Center and the validity period starts when the software is initially installed. The root certificate is not regenerated when Cisco DNA Center software is upgraded and some releases do not have the capability to renew the certificate.
Cisco DNA Center releases earlier than Release 2.2.2.0 generate a root certificate with a five-year expiration. Cisco DNA Center releases 2.2.2.0 and later generate a root certificate with a 15-year expiration. Cisco DNA Center appliances that were initially installed with a release earlier than Release 2.2.2.0 may have a PKI root certificate that is about to expire. If the certificate is allowed to expire, Cisco DNA Center will no longer connect to any of its devices, and manual intervention will be required from the Cisco Technical Assistance Center (TAC) to recover.
Note: Cisco DNA Center appliances that are upgraded to Release 2.3.3.0 or later before the certificate expires are not affected by this problem, regardless of the software release that was initially installed. Release 2.3.3.0 introduced a root certificate rollover feature that automatically renews the PKI root certificate before it expires.
Problem Symptom
The PKI root certificate validity period and expiration date information is available from the Cisco DNA Center user interface. To see it, choose System > Settings > Trust & Privacy > PKI Certificates. Locate the certificate expiration date. In the following example, the expiration date is in the past. Actual certificate expiration dates will vary.
Affected systems will show a Certificate Lifetime of 1,825 days (five years). If the Expiration Date is in the past, the certificate has already expired and manual intervention by Cisco TAC is required.
Workaround/Solution
If a Cisco DNA Center appliance has a five-year root certificate that has not yet expired, Cisco recommends upgrading to software Release 2.3.3.0 or later before the certificate expires. Cisco DNA Center releases 2.3.3.0 and later have a root certificate rollover feature that automatically renews the PKI root certificate before it expires.
If the root certificate has not expired but upgrading is not possible, a second option is to switch the Cisco DNA Center appliance to Subordinate CA mode. In Subordinate CA mode, the internal CA uses a certificate that is signed by an external root CA that you provide instead of the root certificate that was generated when the software was installed. For more information on Subordinate CA mode, see the Change the Role of the PKI Certificate from Root to Subordinate section of the Cisco DNA Center Security Best Practices Guide.
If the PKI root certificate has already expired, contact the Cisco TAC for assistance. There is no software fix or product feature available to renew the certificate if it has already expired. Also, upgrading to Release 2.3.3.0 or later will not renew the root certificate if it has already expired prior to the upgrade.
How to Identify Affected Products
If a Cisco DNA Center appliance meets all of the following conditions, it is affected by this problem:
- Originally deployed with one of the affected software releases (earlier than Release 2.2.2.0)
- Currently running a release earlier than Release 2.3.3.0
- Has never been re-imaged from scratch using a .iso image for Release 2.2.2.0 or later
Revision History
| Version | Description | Section | Date |
| 1.0 | Initial Release | — | 2023-JUN-13 |
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)
This Document Applies to These Products
Unleash the Power of TAC's Virtual Assistance