Notice
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
2.0 | 24-Mar-22 | Updated the Background Section |
1.3 | 09-Mar-22 | Updated the Background, Products Affected, and Workaround/Solution Sections and Added the Additional Information Section |
1.2 | 18-Feb-22 | Updated the Products Affected, Problem Description, and Workaround/Solution Sections |
1.1 | 03-Feb-22 | Updated the Products Affected and Defect Information Sections |
1.0 | 20-Dec-21 | Initial Release |
Products Affected
| Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
|---|---|---|---|---|
NON-IOS | Adaptive Security Appliance (ASA) Software | 9 | 9.12.2, 9.12.3, 9.12.4, 9.14.1, 9.14.2, 9.15.1, 9.8.2, 9.8.4 | |
NON-IOS | Adaptive Security Appliance (ASA) Software | Interim | 9.1.7 Interim, 9.10.1 Interim, 9.12.1 Interim, 9.12.4 Interim, 9.13.1 Interim, 9.15.1 Interim, 9.2.4 Interim, 9.4.4 Interim, 9.6.4 Interim, 9.8.4 Interim, 9.9.2 Interim | |
NON-IOS | Firepower Threat Defense (FTD) Software | 6.1 | 6.1.0, 6.1.0.1, 6.1.0.2, 6.1.0.3, 6.1.0.4, 6.1.0.5, 6.1.0.6, 6.1.0.7 | |
NON-IOS | Firepower Threat Defense (FTD) Software | 6.2 | 6.2.0, 6.2.0.1, 6.2.0.2, 6.2.0.3, 6.2.0.4, 6.2.0.5, 6.2.0.6, 6.2.2, 6.2.2.1, 6.2.2.2, 6.2.2.3, 6.2.2.4, 6.2.2.5, 6.2.3, 6.2.3.1, 6.2.3.10, 6.2.3.11, 6.2.3.12, 6.2.3.13, 6.2.3.14, 6.2.3.15, 6.2.3.16, 6.2.3.17, 6.2.3.2, 6.2.3.3, 6.2.3.4, 6.2.3.5, 6.2.3.6, 6.2.3.7, 6.2.3.9 | |
NON-IOS | Firepower Threat Defense (FTD) Software | 6.3 | 6.3.0, 6.3.0.1, 6.3.0.2, 6.3.0.3, 6.3.0.4, 6.3.0.5 | |
NON-IOS | Firepower Threat Defense (FTD) Software | 6.4 | 6.4.0, 6.4.0.1, 6.4.0.10, 6.4.0.11, 6.4.0.12, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, 6.4.0.8, 6.4.0.9 | |
NON-IOS | Firepower Threat Defense (FTD) Software | 6.5 | 6.5.0, 6.5.0.2, 6.5.0.4, 6.5.0.5 | |
NON-IOS | Firepower Threat Defense (FTD) Software | 6.6 | 6.6.0, 6.6.0.1, 6.6.1, 6.6.3, 6.6.4 | |
NON-IOS | Firepower Threat Defense (FTD) Software | 6.7 | 6.7.0, 6.7.0.1, 6.7.0.2 | |
NON-IOS | Firepower Management Center Software | 6.1 | 6.1.0, 6.1.0.1, 6.1.0.2, 6.1.0.3, 6.1.0.4, 6.1.0.5, 6.1.0.6, 6.1.0.7 | |
NON-IOS | Firepower Management Center Software | 6.2 | 6.2.0, 6.2.0.1, 6.2.0.2, 6.2.0.3, 6.2.0.4, 6.2.0.5, 6.2.0.6, 6.2.2, 6.2.2.1, 6.2.2.2, 6.2.2.3, 6.2.2.4, 6.2.2.5, 6.2.3, 6.2.3.1, 6.2.3.10, 6.2.3.11, 6.2.3.12, 6.2.3.13, 6.2.3.14, 6.2.3.15, 6.2.3.16, 6.2.3.17, 6.2.3.2, 6.2.3.3, 6.2.3.4, 6.2.3.5, 6.2.3.6, 6.2.3.7, 6.2.3.9 | |
NON-IOS | Firepower Management Center Software | 6.3 | 6.3.0, 6.3.0.1, 6.3.0.2, 6.3.0.3, 6.3.0.4, 6.3.0.5 | |
NON-IOS | Firepower Management Center Software | 6.4 | 6.4.0, 6.4.0.1, 6.4.0.10, 6.4.0.11, 6.4.0.12, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.6, 6.4.0.7, 6.4.0.8, 6.4.0.9 | |
NON-IOS | Firepower Management Center Software | 6.5 | 6.5.0, 6.5.0.1, 6.5.0.2, 6.5.0.4, 6.5.0.5 | |
NON-IOS | Firepower Management Center Software | 6.6 | 6.6.0, 6.6.0.1, 6.6.1, 6.6.3, 6.6.4 | |
NON-IOS | Firepower Management Center Software | 6.7 | 6.7.0, 6.7.0.1, 6.7.0.2 | |
NON-IOS | Firepower Extensible Operating System | 2.0 | 2.0.1.135, 2.0.1.141, 2.0.1.144, 2.0.1.148, 2.0.1.149, 2.0.1.153, 2.0.1.159, 2.0.1.188, 2.0.1.201, 2.0.1.203, 2.0.1.204, 2.0.1.206, 2.0.1.37, 2.0.1.68, 2.0.1.86 | |
NON-IOS | Firepower Extensible Operating System | 2.1 | 2.1.1.106, 2.1.1.107, 2.1.1.113, 2.1.1.115, 2.1.1.116, 2.1.1.64, 2.1.1.73, 2.1.1.77, 2.1.1.83, 2.1.1.85, 2.1.1.86, 2.1.1.97 | |
NON-IOS | Firepower Extensible Operating System | 2.2 | 2.2.1.63, 2.2.1.66, 2.2.1.70, 2.2.2.101, 2.2.2.137, 2.2.2.17, 2.2.2.19, 2.2.2.24, 2.2.2.26, 2.2.2.28, 2.2.2.54, 2.2.2.60, 2.2.2.71, 2.2.2.83, 2.2.2.86, 2.2.2.91, 2.2.2.97 | |
NON-IOS | Firepower Extensible Operating System | 2.3 | 2.3.1.110, 2.3.1.111, 2.3.1.130, 2.3.1.144, 2.3.1.145, 2.3.1.155, 2.3.1.166, 2.3.1.173, 2.3.1.179, 2.3.1.180, 2.3.1.190, 2.3.1.215, 2.3.1.216, 2.3.1.58, 2.3.1.66, 2.3.1.73, 2.3.1.75, 2.3.1.88, 2.3.1.91, 2.3.1.93, 2.3.1.99 | |
NON-IOS | Firepower Extensible Operating System | 2.4 | 2.4.1.101, 2.4.1.214, 2.4.1.222, 2.4.1.234, 2.4.1.238, 2.4.1.244, 2.4.1.249, 2.4.1.252, 2.4.1.266, 2.4.1.268, 2.4.1.273 | |
NON-IOS | Firepower Extensible Operating System | 2.6 | 2.6.1.131, 2.6.1.157, 2.6.1.166, 2.6.1.169, 2.6.1.174, 2.6.1.187, 2.6.1.192, 2.6.1.204, 2.6.1.214, 2.6.1.224 | |
NON-IOS | Firepower Extensible Operating System | 2.7 | 2.7.1.106, 2.7.1.122, 2.7.1.131, 2.7.1.143, 2.7.1.92, 2.7.1.98 | |
NON-IOS | Firepower Extensible Operating System | 2.8 | 2.8.1.105, 2.8.1.125, 2.8.1.139, 2.8.1.143, 2.8.1.152, 2.8.1.164 | |
NON-IOS | Firepower Extensible Operating System | 2.9 | 2.9.1.131, 2.9.1.135 | |
NON-IOS | Firepower Extensible Operating System | 2.10 | 2.10.1.159, 2.10.1.166 |
Defect Information
| Defect ID | Headline |
|---|---|
| CSCvx00496 | QuoVadis root CA decommission on pix-asa |
| CSCvx30107 | Default trustpoint _SmartCallHome_ServerCA using SHA1 which is not supported |
| CSCvx71184 | Smart call home trustpoint should have both Quovadis & IdenTrust |
| CSCvy80325 | Include the ios pem files into the patch upgrade package for vFTD |
| CSCvx19563 | FDM: Need to update various items to use STO Certificate Trust Bundle (QuoVadis Root CA Issue/PSIRT) |
| CSCvx13861 | QuoVadis root CA decommission on Firepower 9300/4100 Supervisor |
| CSCvx00431 | QuoVadis root CA decommission on sfims - update certificate files on SFOS based FMC and NGIPS units |
| CSCwa88571 | Unable to register FMC with the Smart Portal |
| CSCvx28070 | Update QuoVadis root CA for Smart license as it is getting decommissioned |
Problem Description
For affected versions of the Adaptive Security Appliance (ASA), Firepower eXtensible Operating System (FXOS), and Firepower software, some Secure Sockets Layer (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before March 31, 2021 cannot be renewed from this CA. Once those certificates expire on devices or are removed from the Cisco cloud servers, functions such as Smart Licensing and Smart Call Home will fail to establish secure connections to Cisco and might not operate properly.
Background
The QuoVadis Root CA 2 Public Key Infrastructure (PKI) used by ASA, FXOS, and Firepower software to issue SSL certificates is subject to an industry-wide issue that affects revocation abilities. Due to this issue, no new QuoVadis Root CA 2 certificates will be issued or renewed by Cisco after March 31, 2021. This affects certificate renewals on devices, Cisco cloud servers, and third-party services.
Certificates issued before the QuoVadis Root CA 2 was decommissioned will continue to be valid. However, the certificates will not renew when they expire on either the device or the Cisco cloud server. This will cause functions such as Smart Licensing and Smart Call Home to fail to establish secure connections to Cisco cloud servers.
This table shows a summary of the QuoVadis Root CA 2 certificate expiration dates for affected Cisco services.
| Cisco Cloud Server | QuoVadis Certificate Expiration Date | Affected Services |
|---|---|---|
| tools.cisco.com | February 5, 2022 |
|
| smartreceiver.cisco.com | January 26, 2023 |
|
| Security Services Exchange (SSE) NAM | March 22, 2023 May 5, 2022 for CSD feature only |
|
| SSE EU | March 22, 2023 May 5, 2022 for CSD feature only | |
| SSE APJ | March 16, 2023 May 5, 2022 for CSD feature only |
Note: The Advanced Malware Protection (AMP) services are not affected by the QuoVadis certificate expiration.
Problem Symptom
Expiration of the QuoVadis Root CA 2 certificates affects these services with the associated symptoms.
| Affected Services | Symptoms for Affected Services |
|---|---|
| Smart Licensing | Failure to connect to the server (Details are provided in this section) |
| Smart Call Home | Failure to connect to the server and the Call-Home HTTP request fails Note: Smart Call Home is the carrier for Smart Licensing and other telemetry data communication. |
| SSE connectivity, messaging, and eventing for security cloud services | SSE connectivity, enrollment, and messaging will fail |
| Eventing for Security Analytics and Logging (SAL) and SecureX | Events for SAL and SecureX will fail |
| Cisco Support Diagnostics (CSD) used by TAC to upload diagnostics | Uploads to CSD will fail |
| Access to FDM using Cisco Defense Orchestrator (CDO) | Onboarding new devices will fail, existing devices will not be able to provide status or deploy configurations |
| Low Touch Provisioning (LTP) | Onboarding of devices in CDO will fail |
| Ribbon integration for SecureX | Onboarding of the SecureX ribbon in FMC will fail, but the browser flow will be unaffected |
For Firepower devices, affected devices will be unable to connect to the Smart Licensing and Smart Call Home services hosted by Cisco. Smart licenses might fail entitlement and reflect an Out of Compliance status.
The features that use Smart Licensing will continue to function for one year after the last successful secure connection. Some Smart Licensing symptoms are:
- The device might indicate a failure to communicate with the Smart Licensing server within 30 days from the last successful connection.
- The device will show the "Authorization Expired" state if there is no communication with the Smart Licensing server within 90 days.
- The device will show the "Unregistered" state if there is no communication with the Smart Licensing server after one year and the licensed features usage become suspended.
Offline licensing, such as Permanent License Reservation (PLR) and Specific License Reservation (SLR), is not affected by the certificate change on the Smart Licensing server.
For additional information, refer to the Cisco Smart Licensing Guide.
ASA - Problem Symptoms
For ASA-based devices, enter the show license registration command in order to view the licensing status. Affected ASA security chassis will show "Communication message send response error" in the output.
ASA# show license registration Registration Status: Retry In Progress. Registration Start Time: Mar 22 13:25:46 2016 UTC Registration Status: Retry In Progress. Registration Start Time: Mar 22 13:25:46 2016 UTC Last Retry Start Time: Mar 22 13:26:32 2016 UTC. Next Scheduled Retry Time: Mar 22 13:45:31 2016 UTC. Number of Retries: 1. Last License Server response time: Mar 22 13:26:32 2016 UTC. Last License Server response message: Communication message send response errorFXOS - Problem Symptoms
For FXOS-based devices, enter the show license all command in order to view the licensing status. Affected Firepower devices will show "Failure reason: Failed to authenticate server" in the output.
Firepower # show license allSmart Licensing Status======================Smart Licensing is ENABLEDRegistration: Status: REGISTERING - REGISTRATION IN PROGRESS Export-Controlled Functionality: Not Allowed Initial Registration: FAILED on Oct 09 18:03:27 2018 UTC Failure reason: Failed to authenticate server Next Registration Attempt: Oct 09 18:18:39 2018 UTCFMC - Problem Symptoms
For Firepower-based devices managed by the FMC, the management console will show this message if there is no connection to the Smart Licensing server.
FDM - Problem Symptoms
For Firepower-based devices managed by the FDM that have already been Smart Licensed, there might not be any observable problem symptoms. For devices not previously Smart Licensed, attempts to license the device might fail with a communication error.
Workaround/Solution
Cisco has migrated from the QuoVadis Root CA 2 to the IdenTrust Commercial Root CA 1 for SSL certificates. Cisco recommends these two options to add the new IdenTrust Commercial Root CA 1 certificate to the ASA, FXOS, and Firepower software.
- Software Upgrade
- Manual Certificate Update
Updated software versions that address this issue are available from the Cisco Software Download Center for your device.
Software Upgrade
For ASA-based devices, upgrade to one of the ASA software versions shown in the table in order to resolve the root CA certificate issue for affected devices.
| Release Version | Fixed Version |
|---|---|
| ASA 9.1.x | Migrate to a fixed release |
| ASA 9.2.x | Migrate to a fixed release |
| ASA 9.3.x | Migrate to a fixed release |
| ASA 9.4.x | Migrate to a fixed release |
| ASA 9.5.x | Migrate to a fixed release |
| ASA 9.6.x | Migrate to a fixed release |
| ASA 9.7.x | Migrate to a fixed release |
| ASA 9.8.x | ASA 9.8.4.39 or later |
| ASA 9.9.x | Migrate to a fixed release |
| ASA 9.10.x | Migrate to a fixed release |
| ASA 9.12.x | ASA 9.12.4.24 or later |
| ASA 9.13.x | Migrate to a fixed release |
| ASA 9.14.x | ASA 9.14.2.14 or later |
| ASA 9.15.x | ASA 9.15.1.15 or later |
ASA 9.5.2.x or Later - Auto-Import Certificate Update
For ASA-based devices that run ASA software Version 9.5.2.x or later, the issue can be resolved using the auto-import feature without an upgrade to the ASA software. Enter this command in order to auto-import the IdenTrust Commercial Root CA 1 certificate.
ASA# crypto ca trustpool import url http://www.cisco.com/security/pki/trs/ios_core.p7b
ASA - Manual Certificate Update
For ASA-based devices that run any version of ASA software, the issue can be resolved without an upgrade to the ASA software. Enter these commands in order to manually import the IdenTrust Commercial Root CA 1 certificate.
ASA# config tASA(config)# crypto ca trustpoint IdenTrustASA(config-ca-trustpoint)# enrollment terminalASA(config-ca-trustpoint)# crl configureASA(config-ca-crl)# crypto ca authenticate IdenTrustEnter the base 64 encoded CA certificate.End with the word "quit" on a line by itself-----BEGIN CERTIFICATE-----MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQwMTE2MTgxMjIzWjBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYofWjK9ouuU+ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gpS0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1bVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORiT0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCLvYf5jysjCiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjKVsk9+w8YfYs7wRPCTY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZKdHzVWYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHTc+XvvqDtMwt0viAgxGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hvl7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6aMN7/zHwcz09lCqxC0EOoP5NiGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcNAQELBQADggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwtLRvM7Kqas6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93nAbowacYXVKV7cndJZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3+wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRKW2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pTAwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU47/rokTLql1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZmUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6H-----END CERTIFICATE-----quitINFO: Certificate has the following attributes:Fingerprint: b33e7773 75eea0d3 e37e4963 4959bbc7Do you accept this certificate? [yes/no]: yesTrustpoint CA certificate accepted.% Certificate successfully imported
FXOS - Software Upgrade
For FXOS-based devices, upgrade to one of the FXOS software versions shown in the table in order to resolve the root CA certificate issue for affected devices.
| Release Version | Fixed Version |
|---|---|
| FXOS 2.0.x | Migrate to a fixed release |
| FXOS 2.1.x | Migrate to a fixed release |
| FXOS 2.2.x | FXOS 2.2.2.148 or later |
| FXOS 2.3.x | FXOS 2.3.1.219 or later |
| FXOS 2.4.x | Migrate to a fixed release |
| FXOS 2.6.x | FXOS 2.6.1.229 or later |
| FXOS 2.7.x | Migrate to a fixed release |
| FXOS 2.8.x | FXOS 2.8.1.172 or later |
| FXOS 2.9.x | FXOS 2.9.1.143 or later |
| FXOS 2.10.x | FXOS 2.10.1.179 or later |
FXOS 2.8.x or Later - Auto-Import Certificate Update
For FXOS-based devices with Internet connectivity and that run FXOS 2.8.x or later, the issue can be resolved using the auto-import feature without an upgrade to the FXOS software. Enter these commands in order to auto-import the IdenTrust Commercial Root CA 1 certificate.
FXOS# scope securityFXOS /security #FXOS /security # enter tp-auto-importFXOS /security/tp-auto-import* #FXOS /security/tp-auto-import* # commit-buffer/* Wait for a minute to get the auto import complete */FXOS /security/tp-auto-import # sh detailTrustpoints auto import source URL: http://www.cisco.com/security/pki/trs/ios_core.p7bTrustPoints auto import scheduled time : 22:00Last Importing Status : Success, Imported with 15 TrustPoint(s)TrustPoints auto Import function : EnabledFXOS /security/tp-auto-import #
FXOS - Manual Certificate Update
For FXOS-based devices that run any version of FXOS software, the issue can be resolved using the manual certificate import procedure without an upgrade to the FXOS software. Enter these commands in order to manually import the IdenTrust Commercial Root CA 1 certificate.
FXOS # scope securityFXOS /security # create trustpoint IdenTrustFXOS /security/trustpoint* # set certchain-----BEGIN CERTIFICATE-----MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQwMTE2MTgxMjIzWjBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYofWjK9ouuU+ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gpS0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1bVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORiT0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCLvYf5jysjCiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjKVsk9+w8YfYs7wRPCTY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZKdHzVWYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHTc+XvvqDtMwt0viAgxGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hvl7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6aMN7/zHwcz09lCqxC0EOoP5NiGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcNAQELBQADggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwtLRvM7Kqas6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93nAbowacYXVKV7cndJZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3+wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRKW2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pTAwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU47/rokTLql1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZmUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6H-----END CERTIFICATE----->ENDOFBUFFXOS /security/trustpoint* # commit-bufferFXOS /security/trustpoint # endFXOS # scope licdebugFXOS /license/licdebug # renew
Firepower - Software Upgrade
For Firepower-based devices, upgrade to one of the Firepower software versions shown in the table and run the additional commands in order to resolve the root CA certificate issue for affected devices.
| Release Version | Fixed Version |
|---|---|
| Firepower 6.1.x | Migrate to a fixed release |
| Firepower 6.2.x | Firepower 6.2.3.18 or later |
| Firepower 6.3.x | Migrate to a fixed release |
| Firepower 6.4.x | Firepower 6.4.0.13 or later |
| Firepower 6.5.x | Migrate to a fixed release |
| Firepower 6.6.x | Firepower 6.6.5 or later |
| Firepower 6.7.x | Firepower 6.7.0.3 or later |
Note: An update to Firepower 7.0 or later will resolve the field notice issue and requires no additional manual steps.
For Firepower 6.7 or earlier, after you upgrade the FMC to a fixed version, remove the certificate file at /etc/sf/gch/call_home_ca and restart the Smart Licensing Agent (sla) process to resume communications with Cisco Smart Software Manager (CSSM) with these steps:
- Access the CLI. For FMC deployments, log in to the FMC CLI as admin or another user with shell access.
- Enter the
expertcommand in order to access the Linux shell. - Elevate the user to root with the
sudo su –command and enter the password when prompted. - Remove the
/etc/sf/gch/call_home_cafile with therm /etc/sf/gch/call_home_cacommand. - Restart the Smart Licensing Agreement process with the
pmtool restartbyid slacommand.
Firepower - Manual Certificate Update
For devices managed by FMC, the issue can be resolved for the Smart Licensing service only without an upgrade to the Firepower software. For services other than Smart Licensing, a software upgrade is required to fix the issue.
Complete these steps in order to manually import the IdenTrust Commercial Root CA 1 certificate. Do not use this workaround when you use Common Criteria (CC) Mode or for devices managed by Firepower Device Manager (FDM). Instead, upgrade to one of the Firepower software versions provided in the table.
- Enter
sudo su -in order to elevate to root. - Enter
mv /etc/sf/gch/call_home_ca /etc/sf/gch/call_home_ca.bakin order to back up the current certificate. - Create a new certificate file.
- Enter
vim /etc/sf/gch/call_home_ca. - Press the
ikey in order to enter editing mode. - Copy and paste this IdenTrust Commercial Root CA 1 certificate into the file.
-----BEGIN CERTIFICATE-----MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQwMTE2MTgxMjIzWjBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYofWjK9ouuU+ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gpS0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1bVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORiT0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCLvYf5jysjCiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjKVsk9+w8YfYs7wRPCTY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZKdHzVWYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHTc+XvvqDtMwt0viAgxGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hvl7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6aMN7/zHwcz09lCqxC0EOoP5NiGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcNAQELBQADggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwtLRvM7Kqas6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93nAbowacYXVKV7cndJZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3+wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRKW2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pTAwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU47/rokTLql1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZmUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6H-----END CERTIFICATE-----
- Press the
ESCkey in order to exit editing mode. - Enter
:wqand then press theENTERkey in order to save the file and exit.
- Enter
- Enter
pmtool restartbyid slain order to restart the Smart Licensing Agreement process and use the updated IdenTrust certificate.
Additional Information
Cisco has created a web page to provide customers and partners with additional information on this issue. Consult the QuoVadis Root CA 2 Decommission page for a full list of products affected, associated Field Notices, and frequently asked questions.
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
- Open a service request on Cisco.com
- By email or telephone
Receive Email Notification For New Field Notices
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.