Field Notice: FN - 72250 - Cisco SUDI Certificate Expires When Registered to a PKI and Used to Configure Certain Functionalities on Some Catalyst Switching Platforms - Workaround Provided

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	15-Nov-21	Initial Release
1.1	22-Nov-21	Updated the Products Affected Section

Products Affected

Affected Product ID	Comments
WS-C3650-12X48UQ
WS-C3650-12X48UR
WS-C3650-24PD-S
WS-C3650-24PD-L
WS-C3650-24PD-E
WS-C3650-24PD
WS-C3650-24PWD-S
WS-C3650-24PDM
WS-C3650-12X48UZ
WS-C3650-24PS
WS-C3650-24PS-L
WS-C3650-24PS-S
WS-C3650-24TD
WS-C3650-24TS
WS-C3650-24TS-L
WS-C3650-24TS-S
WS-C3650-48FD-L
WS-C3650-48FQM
WS-C3650-48FS-L
WS-C3650-48FS-S
WS-C3650-48PD
WS-C3650-48PD-L
WS-C3650-48PQ
WS-C3650-48PS
WS-C3650-48PS-L
WS-C3650-48TD
WS-C3650-48TQ
WS-C3650-48TQ-E
WS-C3650-48TS
WS-C3650-48TS-L
WS-C3650-48TS-S
WS-C3650-8X24UQ
WS-C3850-12S
WS-C3850-12S-E
WS-C3850-12S-S
WS-C3850-12X48U
WS-C3850-12X48U-S
WS-C3850-12XS
WS-C3850-24P
WS-C3850-24P-L-BR
WS-C3850-24S
WS-C3850-24S-S
WS-C3850-24T
WS-C3850-24T-E
WS-C3850-24T-L-BR
WS-C3850-24T-S
WS-C3850-24U
WS-C3850-24XS
WS-C3850-24XS-E
WS-C3850-24XU
WS-C3850-48F
WS-C3850-48F-S
WS-C3850-48P
WS-C3850-48P-L
WS-C3850-48P-L-BR
WS-C3850-48P-S
WS-C3850-48T
WS-C3850-48T-L
WS-C3850-48T-L-BR
WS-C3850-48T-S
WS-C3850-48U
WS-C3850-48U-L
WS-C3850-48XS
WS-C3850E-12X48U
WS-C3850E-12XS
WS-C3850E-24XS
WS-C3850E-48XS
WS-C3850R-24T-L
WS-C3850X-12XQ
WS-C3850X-24XQ
WS-C3850X-40XS
C1000-16FP-2G-L
C1000-16P-2G-L
C1000-16P-E-2G-L
C1000-16T-2G-L
C1000-16T-E-2G-L
C1000-24FP-4G-L
C1000-24FP-4X-L
C1000-24P-4G-L
C1000-24P-4X-L
C1000-24T-4G-L
C1000-24T-4X-L
C1000-48FP-4G-L
C1000-48FP-4X-L
C1000-48P-4G-L
C1000-48P-4X-L
C1000-48PP-4G-L
C1000-48T-4G-L
C1000-48T-4X-L
C1000-8FP-2G-L
C1000-8FP-E-2G-L
C1000-8P-2G-L
C1000-8T-2G-L
C1000-8T-E-2G-L
C1000-8P-E-2G-L
WS-C1000-24PS-LL
WS-C1000-24TS-LL
WS-C1000-16PS-LL
WS-C1000-16TS-LL
WS-C1000-8PS-LL
WS-C1000-8TS-LL
WS-C1000-48PS-LL
WS-C1000-48TS-LL
WS-C2960L-16TS-LL
WS-C2960L-16PS-LL
WS-C2960L-16PSLL++
WS-C2960L-16TSLL++
WS-C2960L-16PS-JP
WS-C2960L-16TS-JP
WS-C2960L-24PD-LL
WS-C2960L-24PQ-LL
WS-C2960L-24PQLL++
WS-C2960L-8PS-LL
WS-C2960L-48TS-LL
WS-C2960L-24PS-LL
WS-C2960L-8TS-LL
WS-C2960L-48PS-LL
WS-C2960L-24TS-LL	Part Alternate
WS-C2960L-8PSLL++
WS-C2960L-8TSLL++
WS-C2960L-48PSLL++
WS-C2960L-48TSLL++
WS-C2960L-24PSLL++
WS-C2960L-24TSLL++
WS-C2960L-8PS-JP
WS-C2960L-8TS-JP
WS-C2960L-48PS-JP
WS-C2960L-48TS-JP
WS-C2960L-24PS-JP
WS-C2960L-24TS-JP
WS-C2960L-48PS-AP
WS-C2960L-48TS-AP
WS-C2960L-24PS-AP
WS-C2960L-24TS-AP
WS-C2960L-48PQ-LL
WS-C2960L-48TQ-LL
WS-C2960L-24TQ-LL
WS-C2960L-24TQLL++
WS-C2960L-48PQLL++
WS-C2960L-48TQLL++
WS-C2960L-SM-8TS
WS-C2960L-SM-8PS
WS-C2960L-SM-16TS
WS-C2960L-SM-16PS
WS-C2960L-SM-24TS
WS-C2960L-SM-24PS
WS-C2960L-SM-48TS
WS-C2960L-SM-48PS
WS-C2960L-SM-24TQ
WS-C2960L-SM-24PQ
WS-C2960L-SM-48TQ
WS-C2960L-SM-48PQ
WS-C2960L-24TS-JPP
CDB-8U
CDB-8P
CDB-4PD
CDB-4PF
CDB-4PC
WS-C2960CX-8TC-L
WS-C2960CX-8PC-L
WS-C2960X-24PD-L
WS-C2960X-24PD-L++
WS-C2960X-24PS-L	Part Alternate
WS-C2960X-24PSQ-L
WS-C2960X-24TS-L	Part Alternate
WS-C2960X-24TD-L
WS-C2960X-24TS-LL
WS-C2960X-24PS-BR
WS-C2960X-24TSLL++
WS-C2960X-24TS-L++
WS-C2960X-24TD-L++
WS-C2960X-24PSQL++
WS-C2960X-24PS-L++
WS-C2960X-24TS-LB
WS-C2960X-24TS-IN
WS-C2960X-24PS-IN
WS-C2960X-48LPS-L	Part Alternate
WS-C2960X-48LPD-L	Part Alternate
WS-C2960X-48FPS-L	Part Alternate
WS-C2960X-48FPD-L	Part Alternate
WS-C2960X-48TD-L
WS-C2960X-48TS-L	Part Alternate
WS-C2960X-48TS-LL
WS-C2960X-48TS-BR
WS-C2960X-48TSLL++
WS-C2960X-48TS-L++
WS-C2960X-48TD-L++
WS-C2960X-48LPSL++
WS-C2960X-48LPDL++
WS-C2960X-48FPSL++
WS-C2960X-48FPDL++
WS-C2960X-48LPD-LB
WS-C2960X-48FPD-LB
WS-C2960X-48FPS-LB
WS-C2960X-48LPS-LB
WS-C2960X-48TS-IN
WS-C2960XR-48FPD-I
WS-C2960XR-48LPD-I
WS-C2960XR-48FPS-I
WS-C2960XR-48LPS-I
WS-C2960XR-24PD-I
WS-C2960XR-24PS-I
WS-C2960XR-48TD-I
WS-C2960XR-48TS-I
WS-C2960XR-24TD-I
WS-C2960XR-24TS-I
WS-C3560CX-12TC-S
WS-C3560CX-12PC-S
WS-C3560CX-8TC-S
WS-C3560CX-8PC-S
WS-C3560CX-12PD-S
WS-C3560CX-8XPD-S
WS-C3560CX-8PT-S
WS-C3560CX-12PCS++
WS-C2960+48PST-S
WS-C2960+48PST-L
WS-C2960+24TC-L
WS-C2960+48TC-L
WS-C2960+48TC-S
WS-C2960+24LC-S
WS-C2960+24LC-L
WS-C2960+24PC-L
WS-C2960+24PC-S

Defect Information

Defect ID	Headline
CSCvx28898	SUDI certificate expiration may impact functionality

Problem Description

A Cisco Secure Unique Device Identifier (SUDI) certificate that is registered to a Public Key Infrastructure (PKI) and that is also used to configure certain functionalities will expire on a limited number of Cisco Catalyst Switching products (see the Products Affected section). Any service that relies on a SUDI certificate to establish a secure connection might not work after the certificate expires.

Background

SUDI is an X.509v3 certificate which maintains the product identifier and serial number. The identity is implemented at manufacturing and is linked to a publicly identifiable root Certificate Authority (CA). The SUDI can be used as an immutable identity for configuration, security, auditing, and management.

The Cisco SUDI certificate, when registered to a PKI and used to configure certain functionalities on Cisco IOS and Cisco IOS XE, will expire on a limited number of Catalyst Switching products either on [the date of manufacture + 10 years] or on 2029-05-14, whichever is earlier. Any service that relies on a SUDI certificate to establish a secure connection might not work after the certificate expires.

In order to determine the SUDI certification expiration date, enter this command: show crypto pki certificates

 

Sample Output:

switch> show crypto pki certificates
 
Certificate
Status: Available
Certificate Serial Number (hex): 051E49D9
Certificate Usage: General Purpose
Issuer:
cn=ACT2 SUDI CA
o=Cisco
Subject:
Name: <product id>
Serial Number: PID:<product id> SN:<serial no>
cn=<product id>
ou=ACT-2 Lite SUDI
o=Cisco
serialNumber=PID:<product id> SN:<serial no>
Validity Date:
start date: 02:23:17 UTC Apr 20 2020
end date: 20:25:41 UTC May 14 2029
Associated Trustpoints: CISCO_IDEVID_SUDI

 

In order to determine if a SUDI trust point is used, enter this command:
Switch# show run | i CISCO_IDEVID_SUDI

 

Various features that might be linked to the SUDI certificate are shown in these sample configurations:

HTTPS

ip http secure-trustpoint CISCO_IDEVID_SUDI
ip http client secure-trustpoint CISCO_IDEVID_SUDI

 

SSH authentication that uses certificates

ip ssh server certificate
   profile server
      trustpoint sign CISCO_IDEVID_SUDI

 

Zero Touch Deployment (ZTD) that uses a certificate enrollment profile for enrollment or reenrollment

crypto pki profile enrollment profile-name
   credential CISCO_IDEVID_SUDI

Problem Symptom

Any services that rely on a trust point that is configured with an expired Cisco SUDI certificate will be affected. Some examples are:

• HTTP Server over TLS (HTTPS) - HTTPS will produce an error in the browser which indicates that the certificate is expired.

• SSH Server - Applications that use SUDI certificates to authenticate the SSH session might fail to authenticate.

  Note: This use of SUDI certificates is rare. Username/password authentication and non-SUDI public/private key authentication are not affected.

Workaround/Solution

Customers should use one of these four workaround methods in order to install and use an alternate certificate:

• Install a certificate from a CA.
• Use the local Cisco IOS CA server to generate and sign a new certificate.
• Use OpenSSL to generate a PKCS12 certificate bundle and import the bundle to Cisco IOS.
• Use Simple Certificate Enrollment Protocol (SCEP) to acquire a certificate from the customer's PKI.

Note: Introduction of a new certificate on a device might require import of the issuer's certificate on any peer devices where the new certificate is used to protect communication.

Note: After a new non-SUDI certificate is obtained, the configuration of any feature that is identified in the Background section must be updated. The trust point configuration commands must be reconfigured to be able to use the new certificate.

 

Workaround 1
Install a certificate from a CA.

In this workaround, a certificate request is generated and displayed by Cisco IOS. The administrator then copies the request and submits it to a third-party CA and retrieves the result.

Note: Use of a CA to sign certificates is a security best-practice. This procedure is provided as a workaround in this field notice. However, it is preferable to continue to use the third-party CA-signed certificate after you apply this workaround, rather than to use a self-signed certificate.

In order to install a certificate from a third-party CA, complete these steps:

1.   Create a Certificate Signing Request (CSR).

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# crypto pki trustpoint TEST
Switch(ca-trustpoint)# enrollment term pem
Switch(ca-trustpoint)# subject-name CN=TEST
Switch(ca-trustpoint)# revocation-check none
Switch(ca-trustpoint)# rsakeypair TEST
Switch(ca-trustpoint)# exit
Switch(config)# crypto pki enroll TEST
% Start certificate enrollment ..
% The subject name in the certificate will include: CN=TEST
% The subject name in the certificate will include: Switch.cisco.com
% The serial number in the certificate will be: <serial no>
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
 
-----BEGIN CERTIFICATE REQUEST-----
A Base64 Certificate is displayed here. Copy it, along with the ---BEGIN and ---END lines.
-----END CERTIFICATE REQUEST-----
---End - This line not part of the certificate request---

2.   Submit the CSR to the third-party CA.

Note: The procedure to submit the CSR to a third-party CA and retrieve the resulting certificate varies based on the CA that is used. Consult the documentation of your CA for instructions on how to perform this step.

3.   Download the new identity certificate for the switch along with the CA certificate.

4.   Install the CA certificate on the device.

Switch# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# crypto pki auth TEST
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
    
-----BEGIN CERTIFICATE-----
REMOVED
-----END CERTIFICATE-----
   
Certificate has the following attributes:
   Fingerprint MD5: 79D15A9F C7EB4882 83AC50AC 7B0FC625
   Fingerprint SHA1: 0A80CC2C 9C779D20 9071E790 B82421DE B47E9006
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
Install the identity certificate on the device.
Switch(config)# crypto pki import TEST certificate
    Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
 
-----BEGIN CERTIFICATE-----
REMOVED
-----END CERTIFICATE-----
    
% Switch Certificate successfully imported

 

Workaround 2
Use the local Cisco IOS CA server to generate and sign a new certificate.

Note: The local CA server feature is not available on all products.

Switch# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# ip http server
Switch(config)# crypto pki server IOS-CA
Switch(cs-server)# grant auto
Switch(cs-server)# database level complete
Switch(cs-server)# no shut
 
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password: <password>
 
Re-enter password: <password>
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
 
% Certificate Server enabled.
 
Switch# show crypto pki server IOS-CA Certificates
Serial Issued date Expire date Subject Name
1 21:31:40 EST Jan 1 2020 21:31:40 EST Dec 31 2022 cn=IOS-CA
 
Switch# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# crypto pki trustpoint TEST
Switch(ca-trustpoint)# enrollment url http://<local interface ip>:80
   # Replace <local interface ip> with the IP address of an interface on the switch
Switch(ca-trustpoint)# subject-name CN=TEST
Switch(ca-trustpoint)# revocation-check none
Switch(ca-trustpoint)# rsakeypair TEST
Switch(ca-trustpoint)# exit
 
Switch# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# crypto pki auth TEST
Certificate has the following attributes:
Fingerprint MD5: C281D9A0 337659CB D1B03AA6 11BD6E40
Fingerprint SHA1: 1779C425 3DCEE86D 2B11C880 D92361D6 8E2B71FF
 
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
 
Switch(config)# crypto pki enroll TEST
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
 
Password: <password>
Re-enter password: <password>
 
% The subject name in the certificate will include: CN=TEST
% The subject name in the certificate will include: Switch.cisco.com
% Include the switch serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: <serial no>
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose TEST' command will show the fingerprint.

 

Workaround 3
Use OpenSSL to generate a PKCS12 certificate bundle and import the bundle to Cisco IOS.

Note: This process generates a self-signed certificate and a corresponding key-pair package into a PKCS12 formatted file. This file is protected only by a password. Compromise of the password or of the key-pair itself will enable an unauthorized party to replicate this certificate. Appropriate steps should be taken to keep the key-pair and password confidential.

1.   Generate a PKCS12 certificate bundle.
Linux, UNIX, or macOS example:

User@linux-box$ openssl req -newkey rsa:2048 -nodes -keyout tmp.key -x509 -days 4000 -out tmp.cer -subj
"/CN=SelfSignedCert" &> /dev/null && openssl pkcs12 -export -in tmp.cer -inkey tmp.key -out tmp.bin
-passout pass:<use a secure password> && openssl pkcs12 -export -out certificate.pfx
-password pass:<use a secure password> -inkey
tmp.key -in tmp.cer && rm tmp.bin tmp.key tmp.cer && openssl base64 -in certificate.pfx
 
MIII8QIBAzCCCLcGCSqGSIb3DQEHAaCCCKgEggikMIIIoDCCA1cGCSqGSIb3DQEH
BqCCA0gwggNEAgEAMIIDPQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIGnxm
t5r28FECAggAgIIDEKyw10smucdQGt1c0DdfYXwUo8BwaBnzQvN0ClawXNQln2bT
vrhus6LfRvVxBNPeQz2ADgLikGxatwV5EDgooM+IEucKDURGLEotaRrVU5Wk3EGM
mjC6Ko9OaM30vhAGEEXrk26cq+OWsEuF3qudggRYv2gIBcrJ2iUQNFsBIrvlGHRo
FphOTqhVaAPxZS7hOB30cK1tMKHOIa8EwygyBvQPfjjBT79QFgeexIJFmUtqYX/P
<OUTPUT OMITTED FOR BREVITY>
tT6r4SuibYKu6HV45ffjSzOimcJI+D9LKhLWR6pK/k5ge8v7aK9/rsVbjavbdy7b
CSqGSIb3DQEJFTEWBBS96DY/gRfN1dSx46P1EqjPvSYiETAxMCEwCQYFKw4DAhoF
AAQU+EX0kNvuNz6XmFxXER8wlqKTGvgECA+D+Z81uwafAgIIAA==

2.   Import the certificate to a Cisco IOS or Cisco IOS XE switch.

Switch# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# crypto pki trustpoint TEST
Switch(ca-trustpoint)# enrollment terminal
Switch(ca-trustpoint)# revocation-check none
Switch(ca-trustpoint)# exit   
    
S1(config)#crypto pki import TEST pkcs12 terminal password <use a secure password>
Enter the base 64 encoded pkcs12.
End with a blank line or the word "quit" on a line by itself:
    
MIII8QIBAzCCCLcGCSqGSIb3DQEHAaCCCKgEggikMIIIoDCCA1cGCSqGSIb3DQEH
BqCCA0gwggNEAgEAMIIDPQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQItyCo
Vh05+0QCAggAgIIDENUWY+UeuY5sIRZuoBi2nEhdIPd1th/auBYtX79aXGiz/iEW
OUTPUT OMITTED FOR BREVITY>
IY1l273y9bC3qPVJ0UGoQW8SGfarqEjaqxdAet66E5V6u9Yvd4oMsIYGsa70m+FN
CsUVj+ll5hzGjK78L0ycXWpH4gDOGYBVf+D7mgWqaqZvxYUoEkOrTMmW5zElMCMG
CSqGSIb3DQEJFTEWBBSgiBJIYpJLzo/GYN0sesZh3wGmPTAxMCEwCQYFKw4DAhoF
AAQUdeUrLIC2uo/mbyE86he5+qEjmPYECKu76GWaeKb7AgIIAA==
quit
CRYPTO_PKI: Imported PKCS12 file successfully.
R1(config)#

3.   Verify that the new certificate is installed.

S1# show crypto pki certificates TEST
    
Load for five secs: 5%/1%; one minute: 2%; five minutes: 3%
Time source is SNTP, 15:04:37.593 UTC Mon Dec 16 2019
CA Certificate
  Status: Available
  Certificate Serial Number (hex): 00A16966E46A435A99
  Certificate Usage: General Purpose
  Issuer:
    cn=SelfSignedCert
  Subject:
    cn=SelfSignedCert
  Validity Date:
    start date: 14:54:46 UTC Dec 16 2019
    end date: 14:54:46 UTC Nov 28 2030

 

Workaround 4
Use SCEP to acquire a certificate from the customer's PKI.

This use case is typical for utility customers. Follow these steps to set up the device to acquire a certificate from the customer's PKI:

1.   Create a new trustpoint Locally Significant Device Identifier (LDevID).

crypto pki trustpoint LDevID
 enrollment retry count 10
 enrollment retry period 2
 enrollment profile LDevID
 serial-number none
 fqdn none
 ip-address none
 password
 fingerprint 3F520C4C0F3236C9CA3D5C209C9948EC
 subject-name serialNumber=PID:<product id> SN:<serial no>,CN=<serial no>
 revocation-check none
 rsakeypair LDevID 2048

2.   Create an enrollment profile for the new trustpoint LDevID.

crypto pki profile enrollment LDevID
 enrollment url  http://192.168.0.254:80  < This is the RA or CA IP address and the port number.

3.   Authenticate the trustpoint.

conf t
crypto pki authenticate LDevID

4.   Enroll the trustpoint.

conf t
crypto pki enroll LDevID

5.   Use the new LDevID certificate instead of SUDI for configurations and applications.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

• Open a service request on Cisco.com
• By email or telephone

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.