THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision | Publish Date | Comments |
---|---|---|
2.0 |
24-Mar-22 |
Updated the Background Section |
1.3 |
09-Mar-22 |
Updated the Background, Products Affected, and Workaround/Solution Sections and Added the Additional Information Section |
1.2 |
18-Feb-22 |
Updated the Products Affected, Problem Description, and Workaround/Solution Sections |
1.1 |
03-Feb-22 |
Updated the Products Affected and Defect Information Sections |
1.0 |
20-Dec-21 |
Initial Release |
Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
---|---|---|---|---|
NON-IOS |
Adaptive Security Appliance (ASA) Software |
9 |
9.12.2, 9.12.3, 9.12.4, 9.14.1, 9.14.2, 9.15.1, 9.8.2, 9.8.4 |
|
NON-IOS |
Adaptive Security Appliance (ASA) Software |
Interim |
9.1.7 Interim, 9.10.1 Interim, 9.12.1 Interim, 9.12.4 Interim, 9.13.1 Interim, 9.15.1 Interim, 9.2.4 Interim, 9.4.4 Interim, 9.6.4 Interim, 9.8.4 Interim, 9.9.2 Interim |
|
NON-IOS |
Firepower Threat Defense (FTD) Software |
6.1 |
6.1.0, 6.1.0.1, 6.1.0.2, 6.1.0.3, 6.1.0.4, 6.1.0.5, 6.1.0.6, 6.1.0.7 |
|
NON-IOS |
Firepower Threat Defense (FTD) Software |
6.2 |
6.2.0, 6.2.0.1, 6.2.0.2, 6.2.0.3, 6.2.0.4, 6.2.0.5, 6.2.0.6, 6.2.2, 6.2.2.1, 6.2.2.2, 6.2.2.3, 6.2.2.4, 6.2.2.5, 6.2.3, 6.2.3.1, 6.2.3.10, 6.2.3.11, 6.2.3.12, 6.2.3.13, 6.2.3.14, 6.2.3.15, 6.2.3.16, 6.2.3.17, 6.2.3.2, 6.2.3.3, 6.2.3.4, 6.2.3.5, 6.2.3.6, 6.2.3.7, 6.2.3.9 |
|
NON-IOS |
Firepower Threat Defense (FTD) Software |
6.3 |
6.3.0, 6.3.0.1, 6.3.0.2, 6.3.0.3, 6.3.0.4, 6.3.0.5 |
|
NON-IOS |
Firepower Threat Defense (FTD) Software |
6.4 |
6.4.0, 6.4.0.1, 6.4.0.10, 6.4.0.11, 6.4.0.12, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, 6.4.0.8, 6.4.0.9 |
|
NON-IOS |
Firepower Threat Defense (FTD) Software |
6.5 |
6.5.0, 6.5.0.2, 6.5.0.4, 6.5.0.5 |
|
NON-IOS |
Firepower Threat Defense (FTD) Software |
6.6 |
6.6.0, 6.6.0.1, 6.6.1, 6.6.3, 6.6.4 |
|
NON-IOS |
Firepower Threat Defense (FTD) Software |
6.7 |
6.7.0, 6.7.0.1, 6.7.0.2 |
|
NON-IOS |
Firepower Management Center Software |
6.1 |
6.1.0, 6.1.0.1, 6.1.0.2, 6.1.0.3, 6.1.0.4, 6.1.0.5, 6.1.0.6, 6.1.0.7 |
|
NON-IOS |
Firepower Management Center Software |
6.2 |
6.2.0, 6.2.0.1, 6.2.0.2, 6.2.0.3, 6.2.0.4, 6.2.0.5, 6.2.0.6, 6.2.2, 6.2.2.1, 6.2.2.2, 6.2.2.3, 6.2.2.4, 6.2.2.5, 6.2.3, 6.2.3.1, 6.2.3.10, 6.2.3.11, 6.2.3.12, 6.2.3.13, 6.2.3.14, 6.2.3.15, 6.2.3.16, 6.2.3.17, 6.2.3.2, 6.2.3.3, 6.2.3.4, 6.2.3.5, 6.2.3.6, 6.2.3.7, 6.2.3.9 |
|
NON-IOS |
Firepower Management Center Software |
6.3 |
6.3.0, 6.3.0.1, 6.3.0.2, 6.3.0.3, 6.3.0.4, 6.3.0.5 |
|
NON-IOS |
Firepower Management Center Software |
6.4 |
6.4.0, 6.4.0.1, 6.4.0.10, 6.4.0.11, 6.4.0.12, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.6, 6.4.0.7, 6.4.0.8, 6.4.0.9 |
|
NON-IOS |
Firepower Management Center Software |
6.5 |
6.5.0, 6.5.0.1, 6.5.0.2, 6.5.0.4, 6.5.0.5 |
|
NON-IOS |
Firepower Management Center Software |
6.6 |
6.6.0, 6.6.0.1, 6.6.1, 6.6.3, 6.6.4 |
|
NON-IOS |
Firepower Management Center Software |
6.7 |
6.7.0, 6.7.0.1, 6.7.0.2 |
|
NON-IOS |
Firepower Extensible Operating System |
2.0 |
2.0.1.135, 2.0.1.141, 2.0.1.144, 2.0.1.148, 2.0.1.149, 2.0.1.153, 2.0.1.159, 2.0.1.188, 2.0.1.201, 2.0.1.203, 2.0.1.204, 2.0.1.206, 2.0.1.37, 2.0.1.68, 2.0.1.86 |
|
NON-IOS |
Firepower Extensible Operating System |
2.1 |
2.1.1.106, 2.1.1.107, 2.1.1.113, 2.1.1.115, 2.1.1.116, 2.1.1.64, 2.1.1.73, 2.1.1.77, 2.1.1.83, 2.1.1.85, 2.1.1.86, 2.1.1.97 |
|
NON-IOS |
Firepower Extensible Operating System |
2.2 |
2.2.1.63, 2.2.1.66, 2.2.1.70, 2.2.2.101, 2.2.2.137, 2.2.2.17, 2.2.2.19, 2.2.2.24, 2.2.2.26, 2.2.2.28, 2.2.2.54, 2.2.2.60, 2.2.2.71, 2.2.2.83, 2.2.2.86, 2.2.2.91, 2.2.2.97 |
|
NON-IOS |
Firepower Extensible Operating System |
2.3 |
2.3.1.110, 2.3.1.111, 2.3.1.130, 2.3.1.144, 2.3.1.145, 2.3.1.155, 2.3.1.166, 2.3.1.173, 2.3.1.179, 2.3.1.180, 2.3.1.190, 2.3.1.215, 2.3.1.216, 2.3.1.58, 2.3.1.66, 2.3.1.73, 2.3.1.75, 2.3.1.88, 2.3.1.91, 2.3.1.93, 2.3.1.99 |
|
NON-IOS |
Firepower Extensible Operating System |
2.4 |
2.4.1.101, 2.4.1.214, 2.4.1.222, 2.4.1.234, 2.4.1.238, 2.4.1.244, 2.4.1.249, 2.4.1.252, 2.4.1.266, 2.4.1.268, 2.4.1.273 |
|
NON-IOS |
Firepower Extensible Operating System |
2.6 |
2.6.1.131, 2.6.1.157, 2.6.1.166, 2.6.1.169, 2.6.1.174, 2.6.1.187, 2.6.1.192, 2.6.1.204, 2.6.1.214, 2.6.1.224 |
|
NON-IOS |
Firepower Extensible Operating System |
2.7 |
2.7.1.106, 2.7.1.122, 2.7.1.131, 2.7.1.143, 2.7.1.92, 2.7.1.98 |
|
NON-IOS |
Firepower Extensible Operating System |
2.8 |
2.8.1.105, 2.8.1.125, 2.8.1.139, 2.8.1.143, 2.8.1.152, 2.8.1.164 |
|
NON-IOS |
Firepower Extensible Operating System |
2.9 |
2.9.1.131, 2.9.1.135 |
|
NON-IOS |
Firepower Extensible Operating System |
2.10 |
2.10.1.159, 2.10.1.166 |
Defect ID | Headline |
---|---|
CSCvx00496 | QuoVadis root CA decommission on pix-asa |
CSCvx30107 | Default trustpoint _SmartCallHome_ServerCA using SHA1 which is not supported |
CSCvx71184 | Smart call home trustpoint should have both Quovadis & IdenTrust |
CSCvy80325 | Include the ios pem files into the patch upgrade package for vFTD |
CSCvx19563 | FDM: Need to update various items to use STO Certificate Trust Bundle (QuoVadis Root CA Issue/PSIRT) |
CSCvx13861 | QuoVadis root CA decommission on Firepower 9300/4100 Supervisor |
CSCvx00431 | QuoVadis root CA decommission on sfims - update certificate files on SFOS based FMC and NGIPS units |
CSCwa88571 | Unable to register FMC with the Smart Portal |
CSCvx28070 | Update QuoVadis root CA for Smart license as it is getting decommissioned |
For affected versions of the Adaptive Security Appliance (ASA), Firepower eXtensible Operating System (FXOS), and Firepower software, some Secure Sockets Layer (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before March 31, 2021 cannot be renewed from this CA. Once those certificates expire on devices or are removed from the Cisco cloud servers, functions such as Smart Licensing and Smart Call Home will fail to establish secure connections to Cisco and might not operate properly.
The QuoVadis Root CA 2 Public Key Infrastructure (PKI) used by ASA, FXOS, and Firepower software to issue SSL certificates is subject to an industry-wide issue that affects revocation abilities. Due to this issue, no new QuoVadis Root CA 2 certificates will be issued or renewed by Cisco after March 31, 2021. This affects certificate renewals on devices, Cisco cloud servers, and third-party services.
Certificates issued before the QuoVadis Root CA 2 was decommissioned will continue to be valid. However, the certificates will not renew when they expire on either the device or the Cisco cloud server. This will cause functions such as Smart Licensing and Smart Call Home to fail to establish secure connections to Cisco cloud servers.
This table shows a summary of the QuoVadis Root CA 2 certificate expiration dates for affected Cisco services.
Cisco Cloud Server | QuoVadis Certificate Expiration Date | Affected Services |
---|---|---|
tools.cisco.com | February 5, 2022 |
|
smartreceiver.cisco.com | January 26, 2023 |
|
Security Services Exchange (SSE) NAM | March 22, 2023 May 5, 2022 for CSD feature only |
|
SSE EU | March 22, 2023 May 5, 2022 for CSD feature only |
|
SSE APJ | March 16, 2023 May 5, 2022 for CSD feature only |
Note: The Advanced Malware Protection (AMP) services are not affected by the QuoVadis certificate expiration.
Expiration of the QuoVadis Root CA 2 certificates affects these services with the associated symptoms.
Affected Services | Symptoms for Affected Services |
---|---|
Smart Licensing | Failure to connect to the server (Details are provided in this section) |
Smart Call Home | Failure to connect to the server and the Call-Home HTTP request fails Note: Smart Call Home is the carrier for Smart Licensing and other telemetry data communication. |
SSE connectivity, messaging, and eventing for security cloud services | SSE connectivity, enrollment, and messaging will fail |
Eventing for Security Analytics and Logging (SAL) and SecureX | Events for SAL and SecureX will fail |
Cisco Support Diagnostics (CSD) used by TAC to upload diagnostics | Uploads to CSD will fail |
Access to FDM using Cisco Defense Orchestrator (CDO) | Onboarding new devices will fail, existing devices will not be able to provide status or deploy configurations |
Low Touch Provisioning (LTP) | Onboarding of devices in CDO will fail |
Ribbon integration for SecureX | Onboarding of the SecureX ribbon in FMC will fail, but the browser flow will be unaffected |
For Firepower devices, affected devices will be unable to connect to the Smart Licensing and Smart Call Home services hosted by Cisco. Smart licenses might fail entitlement and reflect an Out of Compliance status.
The features that use Smart Licensing will continue to function for one year after the last successful secure connection. Some Smart Licensing symptoms are:
Offline licensing, such as Permanent License Reservation (PLR) and Specific License Reservation (SLR), is not affected by the certificate change on the Smart Licensing server.
For additional information, refer to the Cisco Smart Licensing Guide.
ASA - Problem Symptoms
For ASA-based devices, enter the show license registration
command in order to view the licensing status. Affected ASA security chassis will show "Communication message send response error" in the output.
ASA# show license registration
Registration Status: Retry In Progress.
Registration Start Time: Mar 22 13:25:46 2016 UTC
Registration Status: Retry In Progress.
Registration Start Time: Mar 22 13:25:46 2016 UTC
Last Retry Start Time: Mar 22 13:26:32 2016 UTC.
Next Scheduled Retry Time: Mar 22 13:45:31 2016 UTC.
Number of Retries: 1.
Last License Server response time: Mar 22 13:26:32 2016 UTC.
Last License Server response message: Communication message send response error
FXOS - Problem Symptoms
For FXOS-based devices, enter the show license all
command in order to view the licensing status. Affected Firepower devices will show "Failure reason: Failed to authenticate server" in the output.
Firepower # show license all
Smart Licensing Status
======================
Smart Licensing is ENABLED
Registration:
Status: REGISTERING - REGISTRATION IN PROGRESS
Export-Controlled Functionality: Not Allowed
Initial Registration: FAILED on Oct 09 18:03:27 2018 UTC
Failure reason: Failed to authenticate server
Next Registration Attempt: Oct 09 18:18:39 2018 UTC
FMC - Problem Symptoms
For Firepower-based devices managed by the FMC, the management console will show this message if there is no connection to the Smart Licensing server.
FDM - Problem Symptoms
For Firepower-based devices managed by the FDM that have already been Smart Licensed, there might not be any observable problem symptoms. For devices not previously Smart Licensed, attempts to license the device might fail with a communication error.
Cisco has migrated from the QuoVadis Root CA 2 to the IdenTrust Commercial Root CA 1 for SSL certificates. Cisco recommends these two options to add the new IdenTrust Commercial Root CA 1 certificate to the ASA, FXOS, and Firepower software.
Updated software versions that address this issue are available from the Cisco Software Download Center for your device.
Software Upgrade
For ASA-based devices, upgrade to one of the ASA software versions shown in the table in order to resolve the root CA certificate issue for affected devices.
Release Version | Fixed Version |
---|---|
ASA 9.1.x | Migrate to a fixed release |
ASA 9.2.x | Migrate to a fixed release |
ASA 9.3.x | Migrate to a fixed release |
ASA 9.4.x | Migrate to a fixed release |
ASA 9.5.x | Migrate to a fixed release |
ASA 9.6.x | Migrate to a fixed release |
ASA 9.7.x | Migrate to a fixed release |
ASA 9.8.x | ASA 9.8.4.39 or later |
ASA 9.9.x | Migrate to a fixed release |
ASA 9.10.x | Migrate to a fixed release |
ASA 9.12.x | ASA 9.12.4.24 or later |
ASA 9.13.x | Migrate to a fixed release |
ASA 9.14.x | ASA 9.14.2.14 or later |
ASA 9.15.x | ASA 9.15.1.15 or later |
ASA 9.5.2.x or Later - Auto-Import Certificate Update
For ASA-based devices that run ASA software Version 9.5.2.x or later, the issue can be resolved using the auto-import feature without an upgrade to the ASA software. Enter this command in order to auto-import the IdenTrust Commercial Root CA 1 certificate.
ASA# crypto ca trustpool import url http://www.cisco.com/security/pki/trs/ios_core.p7b
ASA - Manual Certificate Update
For ASA-based devices that run any version of ASA software, the issue can be resolved without an upgrade to the ASA software. Enter these commands in order to manually import the IdenTrust Commercial Root CA 1 certificate.
ASA# config t ASA(config)# crypto ca trustpoint IdenTrust ASA(config-ca-trustpoint)# enrollment terminal ASA(config-ca-trustpoint)# crl configure ASA(config-ca-crl)# crypto ca authenticate IdenTrust Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself -----BEGIN CERTIFICATE----- MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVu VHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQw MTE2MTgxMjIzWjBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScw JQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqG SIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT 3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYofWjK9ouuU +ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gp S0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1 bVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORi T0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCL vYf5jysjCiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjK Vsk9+w8YfYs7wRPCTY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZK dHzVWYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHT c+XvvqDtMwt0viAgxGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hv l7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6aMN7/zHwcz09lCqxC0EOoP5N iGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB /zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcNAQELBQAD ggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH 6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwt LRvM7Kqas6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93 nAbowacYXVKV7cndJZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3 +wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRK W2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pT AwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU47/rokTLq l1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG 4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZ mUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A 7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6H -----END CERTIFICATE----- quit INFO: Certificate has the following attributes: Fingerprint: b33e7773 75eea0d3 e37e4963 4959bbc7 Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. % Certificate successfully imported
FXOS - Software Upgrade
For FXOS-based devices, upgrade to one of the FXOS software versions shown in the table in order to resolve the root CA certificate issue for affected devices.
Release Version | Fixed Version |
---|---|
FXOS 2.0.x | Migrate to a fixed release |
FXOS 2.1.x | Migrate to a fixed release |
FXOS 2.2.x | FXOS 2.2.2.148 or later |
FXOS 2.3.x | FXOS 2.3.1.219 or later |
FXOS 2.4.x | Migrate to a fixed release |
FXOS 2.6.x | FXOS 2.6.1.229 or later |
FXOS 2.7.x | Migrate to a fixed release |
FXOS 2.8.x | FXOS 2.8.1.172 or later |
FXOS 2.9.x | FXOS 2.9.1.143 or later |
FXOS 2.10.x | FXOS 2.10.1.179 or later |
FXOS 2.8.x or Later - Auto-Import Certificate Update
For FXOS-based devices with Internet connectivity and that run FXOS 2.8.x or later, the issue can be resolved using the auto-import feature without an upgrade to the FXOS software. Enter these commands in order to auto-import the IdenTrust Commercial Root CA 1 certificate.
FXOS# scope security FXOS /security # FXOS /security # enter tp-auto-import FXOS /security/tp-auto-import* # FXOS /security/tp-auto-import* # commit-buffer /* Wait for a minute to get the auto import complete */ FXOS /security/tp-auto-import # sh detail Trustpoints auto import source URL: http://www.cisco.com/security/pki/trs/ios_core.p7b TrustPoints auto import scheduled time : 22:00 Last Importing Status : Success, Imported with 15 TrustPoint(s) TrustPoints auto Import function : Enabled FXOS /security/tp-auto-import #
FXOS - Manual Certificate Update
For FXOS-based devices that run any version of FXOS software, the issue can be resolved using the manual certificate import procedure without an upgrade to the FXOS software. Enter these commands in order to manually import the IdenTrust Commercial Root CA 1 certificate.
FXOS # scope security FXOS /security # create trustpoint IdenTrust FXOS /security/trustpoint* # set certchain -----BEGIN CERTIFICATE----- MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVu VHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQw MTE2MTgxMjIzWjBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScw JQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqG SIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT 3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYofWjK9ouuU +ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gp S0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1 bVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORi T0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCL vYf5jysjCiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjK Vsk9+w8YfYs7wRPCTY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZK dHzVWYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHT c+XvvqDtMwt0viAgxGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hv l7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6aMN7/zHwcz09lCqxC0EOoP5N iGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB /zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcNAQELBQAD ggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH 6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwt LRvM7Kqas6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93 nAbowacYXVKV7cndJZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3 +wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRK W2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pT AwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU47/rokTLq l1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG 4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZ mUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A 7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6H -----END CERTIFICATE----- >ENDOFBUF FXOS /security/trustpoint* # commit-buffer FXOS /security/trustpoint # end FXOS # scope licdebug FXOS /license/licdebug # renew
Firepower - Software Upgrade
For Firepower-based devices, upgrade to one of the Firepower software versions shown in the table and run the additional commands in order to resolve the root CA certificate issue for affected devices.
Release Version | Fixed Version |
---|---|
Firepower 6.1.x | Migrate to a fixed release |
Firepower 6.2.x | Firepower 6.2.3.18 or later |
Firepower 6.3.x | Migrate to a fixed release |
Firepower 6.4.x | Firepower 6.4.0.13 or later |
Firepower 6.5.x | Migrate to a fixed release |
Firepower 6.6.x | Firepower 6.6.5 or later |
Firepower 6.7.x | Firepower 6.7.0.3 or later |
Note: An update to Firepower 7.0 or later will resolve the field notice issue and requires no additional manual steps.
For Firepower 6.7 or earlier, after you upgrade the FMC to a fixed version, remove the certificate file at /etc/sf/gch/call_home_ca
and restart the Smart Licensing Agent (sla) process to resume communications with Cisco Smart Software Manager (CSSM) with these steps:
expert
command in order to access the Linux shell.sudo su –
command and enter the password when prompted./etc/sf/gch/call_home_ca
file with the rm /etc/sf/gch/call_home_ca
command.pmtool restartbyid sla
command.
Firepower - Manual Certificate Update
For devices managed by FMC, the issue can be resolved for the Smart Licensing service only without an upgrade to the Firepower software. For services other than Smart Licensing, a software upgrade is required to fix the issue.
Complete these steps in order to manually import the IdenTrust Commercial Root CA 1 certificate. Do not use this workaround when you use Common Criteria (CC) Mode or for devices managed by Firepower Device Manager (FDM). Instead, upgrade to one of the Firepower software versions provided in the table.
sudo su -
in order to elevate to root.mv /etc/sf/gch/call_home_ca /etc/sf/gch/call_home_ca.bak
in order to back up the current certificate.vim /etc/sf/gch/call_home_ca
.i
key in order to enter editing mode.-----BEGIN CERTIFICATE----- MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVu VHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQw MTE2MTgxMjIzWjBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScw JQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqG SIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT 3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYofWjK9ouuU +ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gp S0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1 bVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORi T0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCL vYf5jysjCiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjK Vsk9+w8YfYs7wRPCTY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZK dHzVWYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHT c+XvvqDtMwt0viAgxGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hv l7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6aMN7/zHwcz09lCqxC0EOoP5N iGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB /zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcNAQELBQAD ggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH 6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwt LRvM7Kqas6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93 nAbowacYXVKV7cndJZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3 +wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRK W2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pT AwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU47/rokTLq l1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG 4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZ mUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A 7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6H -----END CERTIFICATE-----
ESC
key in order to exit editing mode.:wq
and then press the ENTER
key in order to save the file and exit.pmtool restartbyid sla
in order to restart the Smart Licensing Agreement process and use the updated IdenTrust certificate.Cisco has created a web page to provide customers and partners with additional information on this issue. Consult the QuoVadis Root CA 2 Decommission page for a full list of products affected, associated Field Notices, and frequently asked questions.
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.