Field Notice: FN - 70584 - On-Premises Cisco vManage Embedded SSL Certificate Expires on 2020-08-09 - Software Upgrade Recommended

Available Languages

Updated:July 27, 2020

Document ID:FN70584

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	21-Jul-20	Initial Release
1.1	27-Jul-20	Updated the Title and Problem Description Section

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number
NON-IOS	vManage Software	19.1	19.1.0
NON-IOS	vManage Software	19.2	19.2.0, 19.2.097, 19.2.099, 19.2.1, 19.2.2
NON-IOS	vManage Software	19.3	19.3.0
NON-IOS	vManage Software	20.1	20.1.1, 20.1.1.1, 20.1.12

Defect Information

Defect ID	Headline
CSCvu41306	Need new JKS file for 19.x+ versions

Problem Description

The embedded Secure Sockets Link (SSL) certificate in Cisco vManage expires on 2020-08-09. The embedded certificate is used to establish a connection with Digicert (formerly Symantec) during the Symantec Automated Controller Certificate Authorization process. Once the embedded certificate expires, Cisco vManage instances configured for automatic controller certificate authorization fail to initiate or renew Cisco vBond and Cisco vSmart controller SSL certificates. Controller SSL certificates eventually expire unless manual action is taken to renew them.

Note: This field notice only applies to on-premises Cisco vManage installations configured for automatic controller certificate authorization.

Background

Each vManage Network Management System (NMS), vSmart controller, vBond orchestrator, and device in an SD-WAN overlay network must have a signed SSL certificate installed before it can operate in the overlay network. Cisco vManage provides several options to generate and renew those SSL certificates. One option allows the use of Digicert's certificate service to issue and manage SSL certificates and to automatically renew SD-WAN controller certificates before they expire. During the automatic renewal process, Cisco vManage establishes a secure connection with Digicert and a certificate signing request (CSR) is generated. Once the CSR is processed, a signed certificate is received, installed on the device, and sent to the vBond orchestrator.

Cisco vManage uses an embedded SSL certificate to establish the secure connection with Digicert to process CSRs. That embedded certificate expires on 2020-08-09. Once the embedded certificate expires, the Automated Controller Certificate Authorization process in Cisco vManage will no longer work.

Note: Controller SSL certificates are not directly affected by this problem and will continue to initiate and maintain secure control connections in the SD-WAN overlay. However, controller SSL certificates will no longer be automatically renewed and will eventually expire unless renewed manually.

Problem Symptom

All Cisco vManage NMS systems that run affected software and are configured for Automated Controller Certificate Authorization are affected by this SSL certificate expiration issue. Complete these steps in order to determine if your Cisco vManage system is configured for Automated Controller Certificate Authorization.

On the Cisco vManage system console, choose Administration > Settings.
Scroll down to the Controller Certificate Authorization section.
If the mode is set to Automated and the Cisco vManage version is one of the affected software versions, then the system is affected by this SSL certificate expiration problem.

Workaround/Solution

Cisco strongly recommends that customers upgrade to a version with a fix for this SSL certificate expiration problem. The problem is fixed in Cisco vManage Version 19.2.3 and Cisco vManage Version 20.3.1. For customers who cannot immediately upgrade to a fixed software version, there are two workarounds:

Switch the Controller Certificate Authorization mode to Manual. Then follow the documented manual certificate authorization process to monitor controller SSL certificate expiration dates and renew those certificates before they expire. See the Configure Certificate Settings section in the "Cisco SD-WAN Overlay Network Bringup" chapter of the Cisco SD-WAN Getting Started Guide.
There is a patch available for affected software versions that temporarily extends the vManage embedded certificate. However, this patch can only be installed by authorized Cisco personnel and must be later removed before the Cisco vManage software is upgraded to a later version. In order to obtain the patch, contact the Cisco Technical Assistance Center and open a service request.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

This Document Applies to These Products

SD-WAN