Certificate Change on Mar 31, 2021 Affects Smart Licensing on Expressways

Introduction

This document describes how the certificate change on March 31^st, 2021 affects the Smart Licensing on Expressways.

Cisco moves to a new Certificate Authority, IdenTrust Commercial Root CA 1 from March 2021. If you use Smart Licensing on Expressways, do upload the new Root certificate to their Expressway devices before March 31, 2021. If not uploaded, Connection Sync between Expressways and Cisco Smart Software Manager (CSSM) breaks.

Background Information

The QuoVadis Public Key Infrastructure (PKI) Root CA 2 used by CCP to issue SSL certificates is subject to an industry-wide issue that affects revocation abilities. Due to this issue, the QuoVadis Root CA 2 is decommissioned on 2021-03-31. No new certificates are issued for Cisco by the QuoVadis Root CA 2 after 2021-03-31.

Certificates issued before the QuoVadis Root CA 2 are decommissioned and continues to be valid until they reach their individual expiration date. Once those certificates expire, they are not renewed and this might cause functions such as Smart Licensing to fail to establish secure connections.

Beginning 2021-04-01, the IdenTrust Commercial Root CA 1 is used to issue SSL certificates previously issued by the QuoVadis Root CA 2.

• March 23, 2021 update:Customers that leverage Cloud Certificate Management does not see the new IdenTrust certificate in their list of certificates currently. The existing Quovadis (O=QuoVadis Limited, CN=QuoVadis Root CA 2) certificate is still valid. The IdenTrust certificate becomes available to Cloud Certificate Management at a future TBD time. If you utilize Cloud Certificate Management, any service interruptions as a result of this announcement are not experienced, and you don't need to take any actions at this time.

Problem

For all Expressways Core and Edge, some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot be renewed from this CA. Once those certificates expire, functions such as Smart Licensing fail to establish secure connections to Cisco and might not operate properly.

Symptom

Affected platforms in Expressway Core and Edge are unable to register with the Smart Licensing hosted by tools.cisco.com. Smart licenses might fail entitlement and reflect as an Out of Compliance status.

Note: Cisco provides a 60-day grace period before affected Smart Licenses are placed in an Authorization Expired status that would impact feature functionality. Smart license registration for new products might be affected and requires a workaround/solution.

Solution

The steps are also explained in this video: https://video.cisco.com/video/6241489762001

Instruction on how to upload the new certificate onto Expressway-Core and Expressway Edge:

Step 1. Download the IdenTrust Commercial Root CA 1 here and save it as identrust_RootCA1.pem Or cer file.

1. Access the above website.

2. Copy the text inside the box.

3. Save the text on Notepad and save the file. Name the file as identrust_RootCA1.pem Or identrust_RootCA1.cer

On all your Expressway devices, navigate to Maintenance > Security > Trusted CA Certificate.

Step 2. Upload the file on Expressway trust store.

Upload the CA certificate on Expressway trust Store. Click on Append CA.

Browse > Upload the identrust_RootCA1.pem > Append CA Certificate.

CA cert uploaded can be verified below.

Step 3: Verify the certificate successfully uploaded and is present in the VCS / Expressway Trust Store

No reboot or restart is required after this operation for the changes to take effect.

Please check this Field Notice for more details

Field Notice link.

https://www.cisco.com/c/en/us/support/docs/field-notices/705/fn70557.html