THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Affected Product Name | Description | Comments |
---|---|---|
C9200-24P | Catalyst 9200 24-port PoE+, Base Switch | Catalyst 9200 - All Products are impacted. Some sample products are listed in this table |
C9200-24PB | Catalyst 9200 24-port PoE+, enhanced VRF, BASE PID | |
C9200-24PXG | Catalyst 9200 24-port 8xmGig PoE+, Base Switch | |
C9200-24T | Catalyst 9200 24-port data only, Base Switch | |
C9200-48P | Catalyst 9200 48-port PoE+, Base Switch | |
C9200-48PB | Catalyst 9200 48-port PoE+, Enhanced VRF. BASE PID | |
C9200-48PL | Catalyst 9200 48-port Partial PoE+, Base Switch | |
C9200-48PXG | Catalyst 9200 48-port 8xmGig PoE+, Base Switch | |
C9200-48T | Catalyst 9200 48-port data only, Base Switch | |
C9200CX-12P-2X2G | Catalyst 9000 Compact Switch 12-Port PoE+, 240W, Essentials | |
C9200CX-12P-2XGH | Catalyst 9000 Compact Switch 12-Port PoE+, 240W,HVDC,Ess | |
C9200CX-12T-2X2G | Catalyst 9000 Compact Switch 12-port Data Only, Essentials | |
C9200CX-8P-2X2G | Catalyst 9000 Compact Switch 8 port PoE+, 240W, Essentials | |
C9200CX-8P-2XGH | Catalyst 9000 Compact Switch 8 port PoE+, 240W,HVDC,Ess | |
C9200CX-8UXG-2X | Catalyst 9000 Compact Switch 8-Port UPoE with 4xmGig,240W,E | |
C9200CX-8UXG-2XH | Catalyst 9000 Compact Switch 8-Port UPoE with 4xmGig,HVDC,E | |
C9200L-24P-4G | Catalyst 9200L 24-port PoE+, Base Switch | |
C9200L-24P-4X | Catalyst 9200L 24-port PoE+, SFP+, Base Switch | |
C9200L-24PXG-2Y | C9200L 24-port 8xmGig, 16x1G, 2x25G, PoE+,Base Switch | |
C9200L-24PXG-4X | C9200L 24-port 8xmGig, 16x1G, 4x10G, PoE+,Base Switch | |
C9200L-24T-4G | Catalyst 9200L 24-port data only, Base Switch | |
C9200L-24T-4X | Catalyst 9200L 24-port data only, SFP+ ,Base Switch | |
C9200L-48P-4G | Catalyst 9200L 48-port PoE+, Base Switch | |
C9200L-48P-4X | Catalyst 9200L 48-port PoE+, SFP+, Base Switch | |
C9200L-48PL-4G | Catalyst 9200L 48-port Partial PoE+, Base Switch | |
C9200L-48PL-4X | Catalyst 9200L 48-port Partial PoE+, SFP+, Base Switch | |
C9200L-48PXG-2Y | C9200L 48-port 8xmGig, 40x1G, 2x25G PoE+,Base Switch | |
C9200L-48PXG-4X | C9200L 48-port 12xmGig, 36x1G, 4x10G PoE+,Base Switch | |
C9200L-48T-4G | Catalyst 9200L 48-port data only, Base Switch | |
C9200L-48T-4X | Catalyst 9200L 48-port data only, SFP+ ,Base Switch | |
C9300-24H | Catalyst 9300 24-port UPOE+, Base PID-Non-Shippable | Catalyst 9300 - All Products are impacted. Some sample products are listed in this table |
C9300-24P | Catalyst 9300 24-port PoE+,Base switch | |
C9300-24S | Catalyst 9300 24-port Fiber Base switch | |
C9300-24T | Catalyst 9300 24-port data only,Base switch | |
C9300-24U | Catalyst 9300 24-port UPOE,Base switch | |
C9300-24UB | Catalyst Deep Buffer 9300 24-port UPOE, Base PID | |
C9300-24UX | Catalyst 9300 24-port mGig and UPOE, base switch | |
C9300-24UXB | Catalyst 9300 Deep Buffer 24p mGig, UPOE, Base PID | |
C9300-48H | Catalyst 9300 48-port UPoE+, Base PID | |
C9300-48P | Catalyst 9300 48-port PoE+,Base switch | |
C9300-48S | Catalyst 9300 48-port Fiber , Base Switch | |
C9300-48T | Catalyst 9300 48-port data only,Base switch | |
C9300-48U | Catalyst 9300 48-port UPOE,Base switch | |
C9300-48UB | Catalyst 9300 48-port UPOE Deep Buffer, Base PID | |
C9300-48UN | Catalyst 9300 48-port of 5GbpsBase switch | |
C9300-48UXM | Catalyst 9300 48-port(12 mGig&36 2.5Gbps), base switch | |
C9300L-24P-4G | Catalyst 9300L 24p PoE ,4x1G Uplink, Base Switch | |
C9300L-24P-4X | Catalyst 9300L 24p PoE ,4x10G Uplink, Base Switch | |
C9300L-24T-4G | Catalyst 9300L 24p data ,4x1G Uplink, Base Switch | |
C9300L-24T-4X | Catalyst 9300L 24p data ,4x10G Uplink, Base Switch | |
C9300L-24UXG-2Q | Catalyst 9300L 24p, 8mGig ,2x40G Uplink, Base Switch | |
C9300L-24UXG-4X | Catalyst 9300L 24p, 8mGig ,4x10G Uplink, Base Switch | |
C9300L-48P-4G | Catalyst 9300L 48p PoE ,4x1G Uplink, Base Switch | |
C9300L-48P-4X | Catalyst 9300L 48p PoE ,4x10G Uplink, Base Switch | |
C9300L-48PF-4G | Catalyst 9300L 48p Full PoE+ ,4x1G Uplink, Base Switch | |
C9300L-48PF-4X | Catalyst 9300L 48p Full PoE+ ,4x10G Uplink, Base Switch | |
C9300L-48T-4G | Catalyst 9300L 48p data ,4x1G Uplink, Base Switch | |
C9300L-48T-4X | Catalyst 9300L 48p data ,4x10G Uplink, Base Switch | |
C9300L-48UXG-2Q | Catalyst 9300L 48p, 12mGig ,2x40G Uplink, Base Switch | |
C9300L-48UXG-4X | Catalyst 9300L 48p, 12mGig ,4x10G Uplink, Base Switch | |
C9300LM-24U-4Y | Catalyst 9300L Mini 24p UPoE, Base Switch | |
C9300LM-48T-4Y | Catalyst 9300L Mini 48p Data, Base Switch | |
C9300LM-48U-4Y | Catalyst 9300L Mini 48p UPoE, Base Switch | |
C9300LM-48UX-4Y | Catalyst 9300L Mini 48p 8mGig, Base Switch | |
C9300X-12Y | Catalyst 9300X 12x25G Fiber Ports, Base Switch | |
C9300X-24HX | Catalyst 9300 24-port mGig UPoE+, Base PID | |
C9300X-24Y | Catalyst 9300X 24x25G Fiber Ports, Base Switch | |
C9300X-48HX | Catalyst 9300 48-port mGig UPoE+, Base PID | |
C9300X-48HXN | Catalyst 9300 48-port, 8xmGig+40x5G 90W UPOE+, Base PID | |
C9300X-48TX | Catalyst 9300 48-port mGig data only, Base PID | |
C9400-SUP-1 | Cisco Catalyst 9400 Series Supervisor 1 Module | Catalyst 9400 - Only Supervisor Cards listed here are impacted. |
C9400-SUP-1XL | Cisco Catalyst 9400 Series Supervisor 1XL Module | |
C9400-SUP-1XL-Y | Cisco Catalyst 9400 Series Supervisor 1XL with 25G Module | |
C9500-12Q | Catalyst 9500 12-port 40G switch, Baseboard | Catalyst 9500 - All Products are impacted. Some sample products are listed in this table |
C9500-16X | Catalyst 9500 16-port 10Gig switch, Baseboard | |
C9500-24Q | Catalyst 9500 24-port 40G switch, Baseboard | |
C9500-24Y4C | Catalyst 9500 Base PID | |
C9500-32C | Catalyst 9500 Base PID | |
C9500-32QC | Catalyst 9500 Base PID | |
C9500-40X | Catalyst 9500 40-port 10Gig switch, Baseboard | |
C9500-48Y4C | Catalyst 9500 Base PID | |
C9600-SUP-1 | Cisco Catalyst 9600 Series Supervisor 1 Module | Catalyst 9600 - Only Supervisor Cards listed here are impacted. |
C9600X-SUP-2 | Cisco Catalyst 9600 Series Supervisor 2 Module |
Defect ID | Headline |
CSCwd82114 | Support for both HW SUDI type and SW SUDI type trustpoints initialized with IOS PKI. |
CSCwf94778 | C9200 uses H/W SUDI cert expiry date as 2029 instead of 2099 |
A Cisco Secure Unique Device Identifier (SUDI) certificate that is registered to a public key infrastructure (PKI) and that is also used to configure certain functionalities will expire on a limited number of Cisco Catalyst 9000 Switching Family products (for more information on affected products, see the Products Affected section of this Field Notice). Any service that relies on a SUDI certificate to establish a secure connection might not work after the certificate expires.
SUDI is an X.509v3 certificate that maintains the product identifier and serial number. The identity is implemented at manufacturing and is linked to a publicly identifiable root certificate authority (CA). The SUDI can be used as an immutable identity for configuration, security, auditing, and management.
The Cisco SUDI certificate, when registered to a PKI and used to configure certain functionalities on Cisco IOS XE Software, will expire on a limited number of Catalyst 9000 Switching products. Refer to the How to Identify Affected Products and Serial Number Validation sections of this Field Notice to identify affected devices.
To determine if a SUDI trust point is used, enter the following command:
Switch# show run | CISCO_IDEVID_SUDI
If there is no output, no impact is expected and no further action is required.
Customers can check the expiration date of the SUDI certificate on their device using the show crypto pki certificates command.
The SUDI expiration date is bolded in the sample output below:
Switch#show crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 0380EC27
Certificate Usage: General Purpose
Issuer:
cn=ACT2 SUDI CA
o=Cisco
Subject:
Name: C9200-24T
Serial Number: PID:C9200-24T SN:XXXXXXXXXXX
cn=C9200-24T
ou=ACT-2 Lite SUDI
o=Cisco
serialNumber=PID:C9200-24T SN:XXXXXXXXXXX
Validity Date:
start date: 08:37:26 UTC Feb 12 2019
end date: 20:25:41 UTC May 14 2029
Associated Trustpoints: CISCO_IDEVID_SUDI
Various features that might be linked to the SUDI certificate are shown in the following sample configurations:
HTTPS
ip http secure-trustpoint CISCO_IDEVID_SUDI
ip http client secure-trustpoint CISCO_IDEVID_SUDI
SSH authentication that uses certificates
ip ssh server certificate
profile server
trustpoint sign CISCO_IDEVID_SUDI
Zero Touch Deployment (ZTD) that uses a certificate enrollment profile for enrollment or reenrollment
crypto pki profile enrollment profile-name
credential CISCO_IDEVID_SUDI
Any services that rely on a trustpoint that is configured with an expired Cisco SUDI certificate will be affected. Some examples are as follows:
Note: This use of SUDI certificates is rare. Username and password authentication and non-SUDI public or private key authentication are not affected.
Customers should refer to the information below to apply the recommended action for their device.
For suggestions related to software upgrade , please evaluate your network deployment before upgrading the devices.
All units have a SUDI expiration in 2099; however, due to defect CSCwf94778, the device may show an earlier SUDI expiration date.
Recommended Action: Upgrade to fixed versions 17.12.2/17.9.5/17.13.1 and later or apply the workarounds described below.
Note: The Serial Number Validation Tool/Link is not applicable for this product family.
All units that show as Affected in the Serial Number Validation Tool have a SUDI expiration of Date of Manufacturing + 10 years or 2029, whichever is earlier.
Recommended Action: Refer to the workarounds described below.
All units that show as Not Affected in the Serial Number Validation Tool have a SUDI expiry of 2099; however, due to defect CSCwd82114, units may show an earlier SUDI expiration date.
Recommended Action: Upgrade to fixed versions 17.12.1/17.9.5/17.13.1 and later or apply the workarounds described below.
All units that show as Affected in the Serial Number Validation Tool have a SUDI expiration of Date of Manufacturing + 10 years or 2029, whichever is earlier.
Recommended Action: Refer to the workarounds described below.
All units that show as Not Affected in the Serial Number Validation Tool have a SUDI expiration of 2099; however, due to defect CSCwd82114, units may show an earlier SUDI expiration date.
Recommended Action: Upgrade to fixed versions 17.12.1/17.9.5/17.13.1 and later or apply the workarounds described below.
All units that show as Affected in the Serial Number Validation Tool have a SUDI expiration of Date of Manufacturing + 10 years or 2029 or 2037, whichever is earlier.
Recommended Action: Refer to the workarounds described below.
All units that show as Not Affected in the Serial Number Validation Tool have a SUDI expiration of 2099; however, due to defect CSCwd82114, units may show an earlier SUDI expiration date.
Recommended Action: Upgrade to fixed versions 17.12.1/17.9.5/17.13.1 and later or apply the workarounds described below.
All units have a SUDI expiration of 2099; however, due to defect CSCwd82114, devices may show an earlier SUDI expiration date.
Recommended Action: Upgrade to fixed versions 17.12.1/17.9.5/17.13.1 and later or apply the workarounds described below.
Note: The Serial Number Validation Tool/Link is not applicable for this product family.
All units have a SUDI expiration of 2099; however, due to defect CSCwd82114, devices may show an earlier SUDI expiration date.
Recommended Action: Upgrade to fixed versions 17.12.1/17.9.5/17.13.1 and later or apply the workarounds described below.
Note: The Serial Number Validation Tool/Link is not applicable for this product family.
Customers should use one of the following three workaround methods to install an alternate certificate:
Notes:
For more information on each workaround option, see below.
Install a Certificate from a CA
In this workaround, a certificate request is generated and displayed by Cisco IOS XE Software. The administrator then copies the request and submits it to a third-party CA and retrieves the result.
Note: Use of a CA to sign certificates is a security best practice. This procedure is provided as a workaround in this field notice. However, Cisco recommends continuing to use the third-party CA-signed certificate after you apply this workaround rather than using a self-signed certificate.
To install a certificate from a third-party CA, complete the following steps:
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# crypto pki trustpoint TEST
Switch(ca-trustpoint)# enrollment term pem
Switch(ca-trustpoint)# subject-name CN=TEST
Switch(ca-trustpoint)# revocation-check none
Switch(ca-trustpoint)# rsakeypair TEST
Switch(ca-trustpoint)# exit
Switch(config)# crypto pki enroll TEST
% Start certificate enrollment ..
% The subject name in the certificate will include: CN=TEST
% The subject name in the certificate will include: Switch.cisco.com
% The serial number in the certificate will be: <serial no>
% Include an IP address in the subject name? [no]: no
>Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
-----BEGIN CERTIFICATE REQUEST-----
A Base64 Certificate is displayed here. Copy it, along with the ---BEGIN and ---END lines.
-----END CERTIFICATE REQUEST-----
---End - This line not part of the certificate request---
Switch# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# crypto pki auth TEST
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
REMOVED
-----END CERTIFICATE-----
Certificate has the following attributes:
Fingerprint MD5: 79D15A9F C7EB4882 83AC50AC 7B0FC625
Fingerprint SHA1: 0A80CC2C 9C779D20 9071E790 B82421DE B47E9006
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
Install the identity certificate on the device.
Switch(config)# crypto pki import TEST certificate
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
REMOVED
-----END CERTIFICATE-----
% Switch Certificate successfully imported
Use the Local Cisco IOS CA server to Generate and Sign a New Certificate
To use the local Cisco IOS CA server to generate and sign a new certificate, use the following CLI input.
Note: The local CA server feature is not available on all products.
Switch# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# ip http server
Switch(config)# crypto pki server IOS-CA
Switch(cs-server)# grant auto
Switch(cs-server)# database level complete
Switch(cs-server)# no shut
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password: <password>
Re-enter password: <password>
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
% Certificate Server enabled.
Switch# show crypto pki server IOS-CA Certificates
Serial Issued date Expire date Subject Name
1 21:31:40 EST Jan 1 2020 21:31:40 EST Dec 31 2022 cn=IOS-CA
Switch# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# crypto pki trustpoint TEST
Switch(ca-trustpoint)# enrollment url http://<local interface ip>:80
# Replace <local interface ip> with the IP address of an interface on the switch
Switch(ca-trustpoint)# subject-name CN=TEST
Switch(ca-trustpoint)# revocation-check none
Switch(ca-trustpoint)# rsakeypair TEST
Switch(ca-trustpoint)# exit
Switch# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# crypto pki auth TEST
Certificate has the following attributes:
Fingerprint MD5: C281D9A0 337659CB D1B03AA6 11BD6E40
Fingerprint SHA1: 1779C425 3DCEE86D 2B11C880 D92361D6 8E2B71FF
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
Switch(config)# crypto pki enroll TEST
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: <password>
Re-enter password: <password>
% The subject name in the certificate will include: CN=TEST
% The subject name in the certificate will include: Switch.cisco.com
% Include the switch serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: <serial no>
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose TEST' command will show the fingerprint.
Use SCEP to Acquire a Certificate from the Customer's PKI
This use case is typical for utility customers. To set up the device to acquire a certificate from the customer's PKI, use the following steps:
crypto pki trustpoint LDevID
enrollment retry count 10
enrollment retry period 2
enrollment profile LDevID
serial-number none
fqdn none
ip-address none
password
fingerprint 3F520C4C0F3236C9CA3D5C209C9948EC
subject-name serialNumber=PID:<product id> SN:<serial no>,CN=<serial no>
revocation-check none
rsakeypair LDevID 2048
crypto pki profile enrollment LDevID
enrollment url http://192.168.0.254:80 < This is the RA or CA IP address and the port number.
conf t
crypto pki authenticate LDevID
conf t
crypto pki enroll LDevID
To determine if a product may be affected, refer to the Serial Number Validation section of this Field Notice.
If the product is listed as Affected or Not Affected, refer to the Workaround/Solution section of this Field Notice for more details on the recommended action for the product.
Note: Serial Number Validation is not applicable for Catalyst 9200/Catalyst 9500 (Selected Products) and Catalyst 9600. Refer to the Workaround/Solution section for more details.
Cisco provides the Serial Number Validation Tool to verify whether a device is impacted by this issue. To check the device, enter the serial number in the Serial Number Validation Tool.
Important: For security reasons, you must click the Serial Number Validation Tool link that is provided in this section. Do not copy and paste the link into a browser. Use of the Serial Number Validation Tool URL external to this field notice will fail.
Version | Description | Section | Date |
1.0 | Initial Release | — | 2024-MAY-14 |
For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:
To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications.