By default, if you install a ca server on january 1, 2022, when does the ca certificate expire?
IntroductionNote: This document contains the contents of FN40789, along with additional context, examples, updates, and Q&As. Show
At 00:00 on 1 Jan 2020 UTC, all Self-Signed Certificates (SSC) that were generated on IOS/IOS-XE systems will expire, unless the system was running a fixed version of IOS/IOS-XE when the SSC was generated. After that time, unfixed IOS systems will be unable to generate new SSCs. Any service that relies on these self-signed certificates to establish or terminate a secure connection might not work after the certificate expires. This issue affects only self-signed certificates that were generated by the Cisco IOS or Cisco IOS XE device and applied to a service on the device. Certificates that were generated by a Certificate Authority (CA), which includes those certificates generated by the Cisco IOS CA feature, are not impacted by this issue. Affected SystemsAll IOS/IOS-XE systems using a Self-Signed Certficate, that do not have the CSCvi48253 fix, or that did not have the CSCvi48253 fix when the SSC was generated. This includes:
BackgroundCertain features in Cisco IOS and Cisco IOS XE software rely on digitally signed X.509 certificates for cryptographic identity validation. These certificates can be generated by an external third-party CA or they can be generated on the Cisco IOS or Cisco IOS XE device itself as a self-signed certificate. Affected releases of Cisco IOS and Cisco IOS XE software will always set the self-signed certificate's expiration date to 2020-01-01 00:00:00 UTC. After this date, the certificate expires and is invalid. Services that might rely on a self-signed certificate include: General Features:
Collaboration Features:
Wireless Features:
An attempt to generate a self-signed certificate on an affected Cisco IOS or Cisco IOS XE software release after 2020-01-01 00:00:00 UTC results in this error: ../cert-c/source/certobj.c(535) : E_VALIDITY : validity period start later than endAny services that rely on the self-signed certificate may not function. For example:
How to Identify Affected ProductsNote: To be impacted by this field notice, a device must have a self-signed certificate defined AND the self-signed certificate must be applied to one or more features as outlined below. Presence of a self-signed certificate alone will not impact the operation of the device when the certificate expires and does not require immediate action. To be impacted, a device must meet the criteria in BOTH Step 3 and Step 4 below. In order to determine if you use a self-signed certificate, complete these steps:
Additionally, a trustpoint may also be defined as shown below. If the command below is not present, the default behavior is to use the self-signed certificate. ip http secure-trustpoint TP-self-signed-XXXXXXXXIf a trustpoint is defined and it points to a certificate other than the self-signed certificate, you are not impacted. For HTTPS Server, the impact of the expired certificate is minor because self-signed certificates are already untrusted by web browsers and generate a warning even when they are not expired. The presence of an expired certificate may change the warning you receive in the browser.
Workaround / Solution(s)The solution is to upgrade the Cisco IOS or Cisco IOS XE software to a release that includes the fix:
After you upgrade the software, you must regenerate the self-signed certificate and export it to any devices that might require the certificate in their trust-store. Three workarounds are available if an immediate software upgrade is not feasible. Workaround 1 - Obtain a valid certificate from a 3rd part Certificate Authority (CA)Install a certificate from a certificate authority. Common CAs include: Comodo, Let's Encrypt, RapidSSL, Thawte, Sectigo, GeoTrust, Symantec, and many others. With this workaround, a certificate request is generated and displayed by Cisco IOS. The administrator then copies the request and submits it to a third-party CA and retrieves the result. Note: Use of a CA to sign certificates is considered to be a security best-practice. This procedure is provided as a workaround in this field notice; however, it is preferable to continue to use the third-party CA-signed certificate after you apply this workaround, rather than to use a self-signed certificate. In order to install a certificate from a third-party CA, complete these steps:
Workaround 2 - Use the IOS CA Server to generate a new certificateUse the local Cisco IOS Certificate Authority server to generate and sign a new certificate. Note: The local CA server feature is not available on all products. Router# conf tEnter configuration commands, one per line. End with CNTL/Z. Router(config)# ip http server Router(config)# crypto pki server IOS-CA Router(cs-server)# grant auto Router(cs-server)# database level complete Router(cs-server)# no shut %Some server settings cannot be changed after CA certificate generation. % Please enter a passphrase to protect the private key % or type Return to exit Password: Re-enter password: % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 1 seconds) % Certificate Server enabled.Router# show crypto pki server IOS-CA Certificates Serial Issued date Expire date Subject Name 1 21:31:40 EST Jan 1 2020 21:31:40 EST Dec 31 2022 cn=IOS-CA Router# conf t Enter configuration commands, one per line. End with CNTL/Z. Workaround 3 - use OpenSSL to generate a new self-signed certificateUse OpenSSL to generate a PKCS12 certificate bundle and import the bundle to Cisco IOS. LINUX, UNIX or MAC (OSX) ExampleUser@linux-box$ openssl req -newkey rsa:2048 -nodes -keyout tmp.key -x509 -days 4000 -out tmp.cer -subj"/CN=SelfSignedCert" &> /dev/null && openssl pkcs12 -export -in tmp.cer -inkey tmp.key -out tmp.bin -passout pass:Cisco123 && openssl pkcs12 -export -out certificate.pfx -password pass:Cisco123 -inkey tmp.key -in tmp.cer && rm tmp.bin tmp.key tmp.cer && openssl base64 -in certificate.pfx MIII8QIBAzCCCLcGCSqGSIb3DQEHAaCCCKgEggikMIIIoDCCA1cGCSqGSIb3DQEH BqCCA0gwggNEAgEAMIIDPQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIGnxm t5r28FECAggAgIIDEKyw10smucdQGt1c0DdfYXwUo8BwaBnzQvN0ClawXNQln2bT vrhus6LfRvVxBNPeQz2ADgLikGxatwV5EDgooM+IEucKDURGLEotaRrVU5Wk3EGM mjC6Ko9OaM30vhAGEEXrk26cq+OWsEuF3qudggRYv2gIBcrJ2iUQNFsBIrvlGHRo FphOTqhVaAPxZS7hOB30cK1tMKHOIa8EwygyBvQPfjjBT79QFgeexIJFmUtqYX/P |