THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
21-Jul-20 |
Initial Release |
1.1 |
27-Jul-20 |
Updated the Title and Problem Description Section |
Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
---|---|---|---|---|
NON-IOS |
vManage Software |
19.1 |
19.1.0 |
|
NON-IOS |
vManage Software |
19.2 |
19.2.0, 19.2.097, 19.2.099, 19.2.1, 19.2.2 |
|
NON-IOS |
vManage Software |
19.3 |
19.3.0 |
|
NON-IOS |
vManage Software |
20.1 |
20.1.1, 20.1.1.1, 20.1.12 |
Defect ID | Headline |
---|---|
CSCvu41306 | Need new JKS file for 19.x+ versions |
The embedded Secure Sockets Link (SSL) certificate in Cisco vManage expires on 2020-08-09. The embedded certificate is used to establish a connection with Digicert (formerly Symantec) during the Symantec Automated Controller Certificate Authorization process. Once the embedded certificate expires, Cisco vManage instances configured for automatic controller certificate authorization fail to initiate or renew Cisco vBond and Cisco vSmart controller SSL certificates. Controller SSL certificates eventually expire unless manual action is taken to renew them.
Note: This field notice only applies to on-premises Cisco vManage installations configured for automatic controller certificate authorization.
Each vManage Network Management System (NMS), vSmart controller, vBond orchestrator, and device in an SD-WAN overlay network must have a signed SSL certificate installed before it can operate in the overlay network. Cisco vManage provides several options to generate and renew those SSL certificates. One option allows the use of Digicert's certificate service to issue and manage SSL certificates and to automatically renew SD-WAN controller certificates before they expire. During the automatic renewal process, Cisco vManage establishes a secure connection with Digicert and a certificate signing request (CSR) is generated. Once the CSR is processed, a signed certificate is received, installed on the device, and sent to the vBond orchestrator.
Cisco vManage uses an embedded SSL certificate to establish the secure connection with Digicert to process CSRs. That embedded certificate expires on 2020-08-09. Once the embedded certificate expires, the Automated Controller Certificate Authorization process in Cisco vManage will no longer work.
Note: Controller SSL certificates are not directly affected by this problem and will continue to initiate and maintain secure control connections in the SD-WAN overlay. However, controller SSL certificates will no longer be automatically renewed and will eventually expire unless renewed manually.
All Cisco vManage NMS systems that run affected software and are configured for Automated Controller Certificate Authorization are affected by this SSL certificate expiration issue. Complete these steps in order to determine if your Cisco vManage system is configured for Automated Controller Certificate Authorization.
Cisco strongly recommends that customers upgrade to a version with a fix for this SSL certificate expiration problem. The problem is fixed in Cisco vManage Version 19.2.3 and Cisco vManage Version 20.3.1. For customers who cannot immediately upgrade to a fixed software version, there are two workarounds:
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
Unleash the Power of TAC's Virtual Assistance