Field Notice: FN - 70460 - Cisco DNA Center PKI Broker Failure Causes Some Trustpoint Operations to Fail - Software Upgrade Recommended

Available Languages

Updated:October 8, 2019

Document ID:FN70460

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	07-Oct-19	Initial Release

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number	Comments
NON-IOS	DNA Center Software	1	1.1	Affected releases: 1.2.10, 1.2.12, 1.3.0, 1.3.1

Defect Information

Defect ID	Headline
CSCvr03768	PKI broker won't issue device cert in DNAC after 4th OCT,2019 as EJBCA WSDL cert is expiring

Problem Description

The Web Services Description Language (WSDL) certificate in Cisco DNA Center's EJBCA Public Key Infrastructure (PKI) broker service expires on 2019-10-04. After this server certificate expires, Cisco DNA Center clients that use the EJBCA service for secure sessions will fail to connect.

Background

EJBCA is an open source certificate authority service in Cisco DNA Center's PKI implementation. PKI requires an unexpired Certificate Authority (CA) signed certificate to establish identity, otherwise secure connection requests will fail. The WSDL certificate in Cisco DNA Center expires on 2019-10-04 and must be renewed for the EJBCA PKI service to continue to operate properly.

Problem Symptom

Clients that use the EJBCA service in Cisco DNA Center will fail to connect. For example, the Embedded Wireless Controller on Cisco Catalyst 9800 Series devices will fail to onboard. Also, Cisco Aironet AP-1800 Sensors will fail to connect to Cisco DNA Center.

Workaround/Solution

There is no workaround for this problem. Customers must upgrade Cisco DNA Center to a version that has been patched to include a new WSDL certificate. The new certificate has a 20 year expiry.

These Cisco DNA Center software releases have the fix with the new WSDL certificate:

1.2.10.5
1.2.12.2
1.3.0.4
1.3.1.1

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

This Document Applies to These Products

Catalyst Center