Field Notice: FN - 72110 - Cisco Prime Infrastructure: QuoVadis Root CA 2 Decommission Might Affect Smart Licensing, Software Image Management Services, and Software Updates/Critical Patch Updates - Software Upgrade Recommended

Available Languages

Updated:May 19, 2022
Document ID:FN72110

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision Publish Date Comments
1.3
19-May-22
Updated the Workaround/Solution Section
1.2
15-Mar-22
Updated the Problem Description, Background, Problem Symptom, and Workaround/Solution Sections and Added the Additional Information Section
1.1
01-Mar-22
Updated the Problem Description, Background, Problem Symptom, and Workaround/Solution Sections
1.0
04-Mar-21
Initial Release

Products Affected

Affected OS Type Affected Software Product Affected Release Affected Release Number Comments
NON-IOS
Prime Infrastructure Software
3
3.7.0
PI_3_7_x_Prime_Data_Migration_Tool_Update_02.01-1.0.10.ubf
NON-IOS
Prime Infrastructure Software
3.8
3.8.0
PI_3_8_x_Prime_Data_Migration_Tool_Update_02.01-1.0.7.ubf
NON-IOS
Prime Infrastructure Software
3.9
3.9.0
PI_3_9_Update_01-1.0.14.ubf

Defect Information

Defect ID Headline
CSCvx00470 QuoVadis root CA decommission on ncs

Problem Description

For affected versions of Cisco Prime Infrastructure, some Secure Sockets Layer (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before March 31, 2021 cannot be renewed from this CA. Once those certificates expire on the devices or are removed from the Cisco cloud servers, functions such as Smart Software Image Management Services and software updates/critical patch updates will fail to establish secure connections to Cisco and might not operate properly.

Background

The QuoVadis Root CA 2 Public Key Infrastructure (PKI) used by Cisco Prime Infrastructure to issue SSL certificates is subject to an industry-wide issue that affects revocation abilities. Due to this issue, no new QuoVadis Root CA 2 certificates will be issued or renewed by Cisco after March 31, 2021. This affects certificate renewals on devices, Cisco cloud servers, and third-party services.

Certificates issued before the QuoVadis Root CA 2 is decommissioned will continue to be valid. However, the certificates will not renew when they expire on either the device or the Cisco cloud server. This will cause functions such as Smart Licensing to fail to establish secure connections to Cisco cloud servers.

This table shows a summary of the QuoVadis Root CA 2 certificate expiration dates for affected Cisco services.

Cisco Cloud Server QuoVadis Certificate Expiration Date Affected Services
tools.cisco.com February 5, 2022
  • Smart Licensing
  • Smart Call Home
cloudsso.cisco.com March 12, 2022
  • Software Image Management Services
  • Software Updates/Critical patch updates
api.cisco.com March 12, 2022
  • Software Image Management Services
  • Software Updates/Critical patch updates

Problem Symptom

Expiration of the QuoVadis Root CA 2 certificates affects these services with the associated symptoms.

Affected Services Symptoms for Affected Services
Smart Licensing Failure to connect to the server (Details are provided in this section)
Smart Call Home Failure to connect to the server and the Call-Home HTTP request fails
Software Image Management Services Failure to connect to the server to download the Device and Prime application software images
Software Updates/Critical patch updates Failure to connect to the server to download the Device and Prime application software images

 

For Cisco Prime Infrastructure devices, affected platforms will be unable to register with Smart Licensing and will be unable to get the updates for devices (Software Image Management) and Product Software Updates hosted by tools.cisco.com.

Some Smart Licensing symptoms are:

  • The device might indicate a failure to communicate with the Smart Licensing server within 30 days from the last successful connection.
  • The device will show the "Authorization Expired" state if there is no communication with the Smart Licensing server within 90 days.
  • The device will show the "Unregistered" state if there is no communication with the Smart Licensing server after one year and the licensed features usage become suspended.

Note: Offline licensing, such as Permanent License Reservation (PLR) and Specific License Reservation (SLR), is not affected by the certificate change on the Smart Licensing server.

For additional information, refer to the Cisco Smart Licensing Guide and the Prime Infrastructure Administrator Guide for your specific version of the Cisco Prime Infrastructure Quick Start Guide.

In admin mode, enter this command in order to view the certificate availability in Cisco Prime Infrastructure. <TRUST_STORE> is any one of the trust store names (system, pubnet, devicemgmt, user).

ncs certvalidation trusted-ca-store listcacerts truststore <TRUST_STORE>

Affected platforms will show the output in the console as shown in this example.

Note: Cisco provides a 60-day grace period before affected Smart Licenses are placed in an Authorization Expired status that would impact feature functionality. Smart license registration for new products might be affected and requires the workaround/solution.

Workaround/Solution

Cisco has migrated from the QuoVadis Root CA 2 to the IdenTrust Commercial Root CA 1 for SSL certificates. Cisco recommends these two options to add the new IdenTrust Commercial Root CA 1 certificate to the Cisco Prime Infrastructure.

  • Software Upgrade
  • Manual Certificate Update

 

Software Upgrade

For Cisco Prime Infrastructure, upgrade to one of the Cisco Prime Infrastructure versions shown in the table.

Release Version Fixed Version
Prime Infrastructure 3.9.x Prime Infrastructure 3.9.1
Prime Infrastructure 3.10.x Prime Infrastructure 3.10.0

 

Manual Certificate Update

In order to resolve the issue without a software upgrade, follow the steps below to manually import the IdenTrust Commercial Root CA 1 certificate into the Cisco Prime Infrastructure trust store.

  1. In Cisco Prime server, create a file named "IdenTrustRootCA1.pem" under /localdisk/defaultRepo/ directory and save the certificate content into the file.

    The updated IdenTrust Commercial Root CA 1 certificate is shown here and complies with sha1WithRSAEncryption signature algorithm requirements.

    Copy and paste this IdenTrust Commercial Root CA 1 certificate into the file. Be sure to include “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----“.

    -----BEGIN CERTIFICATE-----
MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK
MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVu
VHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQw
MTE2MTgxMjIzWjBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScw
JQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT
3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYofWjK9ouuU
+ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gp
S0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1
bVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORi
T0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCL
vYf5jysjCiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjK
Vsk9+w8YfYs7wRPCTY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZK
dHzVWYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHT
c+XvvqDtMwt0viAgxGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hv
l7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6aMN7/zHwcz09lCqxC0EOoP5N
iGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcNAQELBQAD
ggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH
6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwt
LRvM7Kqas6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93
nAbowacYXVKV7cndJZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3
+wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRK
W2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pT
AwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU47/rokTLq
l1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG
4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZ
mUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A
7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6H
-----END CERTIFICATE-----
  2. From admin mode, execute these four commands in order to import the certificate for all trust stores:

    ncs certvalidation trusted-ca-store importcacert alias IdenTrustRootCA1 repository defaultRepo IdenTrustRootCA1.pem truststore system

    ncs certvalidation trusted-ca-store importcacert alias IdenTrustRootCA1 repository defaultRepo IdenTrustRootCA1.pem truststore pubnet

    ncs certvalidation trusted-ca-store importcacert alias IdenTrustRootCA1 repository defaultRepo IdenTrustRootCA1.pem truststore devicemgmt

    ncs certvalidation trusted-ca-store importcacert alias IdenTrustRootCA1 repository defaultRepo IdenTrustRootCA1.pem truststore user

  3. After these steps are complete, restart the Prime infrastructure services in order for the changes to take effect.

Note: Existing certificates issued from the HydrantID SSL ICA G3 do not need replacement. They are normal certificates issued from the current SSL certificate service and can be used until expiration.

Additional Information

Cisco has created a web page to provide customers and partners with additional information on this issue. Consult the QuoVadis Root CA 2 Decommission page for a full list of products affected, associated Field Notices, and frequently asked questions.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products