Field Notice: FN - 72399 - Catalyst 2960X/2960XR: Counterfeit Detection With the SUDI Verification Feature Supported in Release 15.2(7)E4 or Later - Software Upgrade Recommended

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	29-Apr-22	Initial Release

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number	Comments
IOS	IOS	15.2	15.2(2)E, 15.2(2)E1, 15.2(2)E10, 15.2(2)E2, 15.2(2)E3, 15.2(2)E4, 15.2(2)E5, 15.2(2)E5a, 15.2(2)E6, 15.2(2)E7, 15.2(2)E8, 15.2(2)E9, 15.2(3)E, 15.2(3)E1, 15.2(3)E2, 15.2(3)E3, 15.2(4)E, 15.2(4)E1, 15.2(4)E10, 15.2(4)E2, 15.2(4)E3, 15.2(4)E4, 15.2(4)E5, 15.2(4)E6, 15.2(4)E7, 15.2(4)E8, 15.2(4)E9, 15.2(5)E, 15.2(5)E1, 15.2(5)E2, 15.2(6)E, 15.2(6)E1, 15.2(6)E2a, 15.2(7)E1, 15.2(7)E2, 15.2(7)E3	All releases earlier than Cisco IOS Release 15.2.7E4 are impacted.

Defect Information

Defect ID	Headline
CSCvb64782	SUDI Verification Feature Supported in Release 15.2(7)E4 or Later

Problem Description

In order to detect and mitigate device counterfeiting and malicious attacks on hardware and software, Cisco uses Hardware Trust Anchor, Secure Unique Device Identifier (SUDI), digitally signed software images, secure boot, and other multilayered security approaches to verify the authenticity and integrity of our solutions. These trustworthy technologies run automated checks of hardware and software integrity and can shut down the boot process if a compromise is detected.

Cisco Catalyst 2960X/2960XR platforms should be upgraded to Cisco IOS^® Release 15.2(7)E4 or later in order to enable this SUDI verification before devices are onboarded into your network. The latest software can be downloaded from the Cisco Software Download website.

Cisco encourages customers to buy only genuine gear from Cisco Authorized Partners. Because of the pervasiveness of the Cisco Catalyst 2960X/2960XR switches on the grey market, it is imperative that customers enable the latest software release in order to validate the authenticity, security, and performance of their switch.

Background

The illicit grey market for Cisco's gear carries significant risk for customers who buy unauthorized secondhand, third-party, or even stolen networking gear. Cisco's 2960X/2960XR switches have been a flagship product for many years, and subsequently have been diverted into the grey market.

Cisco always recommends that customers buy from Cisco Authorized Partners. If you choose to purchase Cisco products from a source on the grey market, you might take these risks:

• Counterfeit Products - The purchase of Cisco products from an unauthorized reseller might put your company at risk of receiving counterfeit Cisco products. Counterfeit products might cause severe damage to the network your company depends on for its business operations or introduce security vulnerabilities. Additionally, counterfeit Cisco products are not eligible for any Cisco support services. See the Cisco Non-Entitlement Policy for more information.
• Licensing - Cisco sells its products with end-user licenses that permit the end user of the product to use the software Cisco provides, for example, Cisco IOS software contained on a Cisco router or switch. If your company purchases Cisco products from an unauthorized reseller, you might not have a valid software license, in which case you would need to purchase a software license or submit a request and be approved for a license transfer. See the  Cisco Hardware Inspection and Software Relicensing Program for more information.
• Warranties - Cisco products are sold with end-user warranties that apply to the original end user who purchased the product from a Cisco Authorized Partner. These express warranties cannot be transferred to any subsequent user of Cisco equipment unless specifically authorized by Cisco. Cisco might not provide warranty support for any equipment that you purchase from an unauthorized reseller. This does not affect any warranty Cisco is required to provide by applicable laws. See the Cisco Non-Entitlement Policy for more information..
• Support Plans - If you purchase a Cisco product from an unauthorized reseller, the said product is not automatically eligible for Cisco SMARTnet or Smart Net Total Care support services. Cisco must first evaluate the product's eligibility to receive support services (that is, ensure that product is genuine, no changes have been made to the Cisco hardware or software, and to confirm that the product still functions according to Cisco's specifications and customer expectations). Cisco's policy is to charge an inspection fee for this evaluation.  In full, this policy is set forth in Cisco Hardware Inspection and Software Relicensing Program. See Cisco's Smart Net Total Care website for more information.
• Third-Party Components - If you report a fault or defect in a Cisco product, which can be traced to the use of third-party components that include, but are not limited to, third-party memory, cables, or gigabit interface controllers (GBICs) installed by your company or unauthorized reseller for use in conjunction with the said Cisco product, Cisco might withhold warranty and/or support services for such Cisco product. See the Cisco Non-Entitlement Policy for more information.

The Cisco Brand Protection team partners closely with both law enforcement and customs officials around the world to stop counterfeit products at borders, identify counterfeiting operations, and pursue legal actions against infringers of Cisco’s intellectual property rights, which includes trademarks. Cisco’s goal is to actively support our partners and customers in protecting their investment in Cisco solutions.

Problem Symptom

Counterfeit devices run the risk of disrupting normal system operation and can show any abnormal behavior.

Some of the common error logs which might be observed include, but are not limited to, these logs:

%ILET-1-AUTHENTICATION_FAIL: This Switch may not have been manufactured by Cisco or with Cisco's authorization. This product may contain software that was copied in violation of Cisco's license terms. If your use of this product is the cause of a support issue, Cisco may deny operation of the product, support under your warranty or under a Cisco technical support program such as Smartnet. Please contact Cisco's Technical Assistance Center for more information.

%ILET-1-DEVICE_AUTHENTICATION_FAIL: The FlexStack Module inserted in this switch might not have been manufactured by Cisco or with Cisco's authorization. If your use of this product is the cause of a support issue, Cisco might deny operation of the product, support under your warranty or under a Cisco technical support program such as Smartnet. Please contact Cisco's Technical Assistance Center (TAC) for more information.

Workaround/Solution

The process to validate the SUDI on a Cisco Catalyst 2960X/2960XR device is described in this section. The implementation of SUDI is based on Public Key Infrastructure (PKI) and the associated cryptography.

Note: Steps 2 and 3 require access to the openssl command. This is not a Cisco IOS CLI command. The openssl command is available in most Linux distributions (such as Ubuntu) and MacOS.

Microsoft Windows does not have it available with the installation, but there are third-party binaries available for download.

Step 1. Gather Device Data

Data needed from the device for this validation includes:

• Basic information listed in the output of the show version CLI command.
• Details for SUDI verification with the output of the show platform sudi certificate sign nonce [nonce] CLI command. This CLI command is only available in Cisco IOS Release 15.2.7E4 and later.

In order to confirm the output is not tampered in any way, include the 'sign' option with a 'nonce' in the command. The value of the nonce shall be a random number decided when you enter the command. Do not use a static value for all validations on a particular device.

Sample Output:

Switch#show platform sudi certificate sign nonce 123
-----BEGIN CERTIFICATE-----
MIIDQzCCAiugAwIBAgIQX/h7KCtU3I1CoxW1aMmt/zANBgkqhkiG9w0BAQUFADA1
MRYwFAYDVQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENB
IDIwNDgwHhcNMDQwNTE0MjAxNzEyWhcNMjkwNTE0MjAyNTQyWjA1MRYwFAYDVQQK
Ew1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgwggEg
MA0GCSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQCwmrmrp68Kd6ficba0ZmKUeIhH
xmJVhEAyv8CrLqUccda8bnuoqrpu0hWISEWdovyD0My5jOAmaHBKeN8hF570YQXJ
FcjPFto1YYmUQ6iEqDGYeJu5Tm8sUxJszR2tKyS7McQr/4NEb7Y9JHcJ6r8qqB9q
VvYgDxFUl4F1pyXOWWqCZe+36ufijXWLbvLdT6ZeYpzPEApk0E5tzivMW/VgpSdH
jWn0f84bcN5wGyDWbs2mAag8EtKpP6BrXruOIIt6keO1aO6g58QBdKhTCytKmg9l
Eg6CTY5j/e/rmxrbU6YTYK/CfdfHbBcl1HP7R2RQgYCUTOG/rksc35LtLgXfAgED     >>> Certificate 1
o1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJ/PI
FR5umgIJFq0roIlgX9p7L6owEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEF
BQADggEBAJ2dhISjQal8dwy3U8pORFBi71R803UXHOjgxkhLtv5MOhmBVrBW7hmW
Yqpao2TB9k5UM8Z3/sUcuuVdJcr18JOagxEu5sv4dEX+5wW4q+ffy0vhN4TauYuX
cB7w4ovXsNgOnbFp1iqRe6lJT37mjpXYgyc81WhJDtSd9i7rp77rMKSsH0T8lasz
Bvt9YAretIpjsJyp8qS5UwGH0GikJ3+r/+n6yUA4iGe0OcaEb1fJU9u6ju7AQ7L4
CYNu/2bPPu8Xs1gYJQk0XuPL1hS27PKSb3TkL4Eq1ZKR4OCXPDJoBYVL0fdX4lId
kxpUnwVwwEpxYB5DC2Ae/qPOgRnhCzU=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEPDCCAySgAwIBAgIKYQlufQAAAAAADDANBgkqhkiG9w0BAQUFADA1MRYwFAYD
VQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgw
HhcNMTEwNjMwMTc1NjU3WhcNMjkwNTE0MjAyNTQyWjAnMQ4wDAYDVQQKEwVDaXNj
bzEVMBMGA1UEAxMMQUNUMiBTVURJIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA0m5l3THIxA9tN/hS5qR/6UZRpdd+9aE2JbFkNjht6gfHKd477AkS
5XAtUs5oxDYVt/zEbslZq3+LR6qrqKKQVu6JYvH05UYLBqCj38s76NLk53905Wzp
9pRcmRCPuX+a6tHF/qRuOiJ44mdeDYZo3qPCpxzprWJDPclM4iYKHumMQMqmgmg+
xghHIooWS80BOcdiynEbeP5rZ7qRuewKMpl1TiI3WdBNjZjnpfjg66F+P4SaDkGb
BXdGj13oVeF+EyFWLrFjj97fL2+8oauV43Qrvnf3d/GfqXj7ew+z/sXlXtEOjSXJ
URsyMEj53Rdd9tJwHky8neapszS+r+kdVQIDAQABo4IBWjCCAVYwCwYDVR0PBAQD     >>> Certificate 2
AgHGMB0GA1UdDgQWBBRI2PHxwnDVW7t8cwmTr7i4MAP4fzAfBgNVHSMEGDAWgBQn
88gVHm6aAgkWrSugiWBf2nsvqjBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vd3d3
LmNpc2NvLmNvbS9zZWN1cml0eS9wa2kvY3JsL2NyY2EyMDQ4LmNybDBQBggrBgEF
BQcBAQREMEIwQAYIKwYBBQUHMAKGNGh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3Vy
aXR5L3BraS9jZXJ0cy9jcmNhMjA0OC5jZXIwXAYDVR0gBFUwUzBRBgorBgEEAQkV
AQwAMEMwQQYIKwYBBQUHAgEWNWh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5
L3BraS9wb2xpY2llcy9pbmRleC5odG1sMBIGA1UdEwEB/wQIMAYBAf8CAQAwDQYJ
KoZIhvcNAQEFBQADggEBAGh1qclr9tx4hzWgDERm371yeuEmqcIfi9b9+GbMSJbi
ZHc/CcCl0lJu0a9zTXA9w47H9/t6leduGxb4WeLxcwCiUgvFtCa51Iklt8nNbcKY
/4dw1ex+7amATUQO4QggIE67wVIPu6bgAE3Ja/nRS3xKYSnj8H5TehimBSv6TECi
i5jUhOWryAK4dVo8hCjkjEkzu3ufBTJapnv89g9OE+H3VKM4L+/KdkUO+52djFKn
hyl47d7cZR4DY4LIuFM2P1As8YyjzoNpK/urSRI14WdIlplR1nH7KNDl5618yfVP
0IFJZBGrooCRBjOSwFv8cpWCbmWdPaCQT2nwIjTfY8c=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDiDCCAnCgAwIBAgIDAbx3MA0GCSqGSIb3DQEBCwUAMCcxDjAMBgNVBAoTBUNp
c2NvMRUwEwYDVQQDEwxBQ1QyIFNVREkgQ0EwHhcNMTMwNzEyMjExMTE1WhcNMjMw
NzEyMjExMTE1WjB1MSwwKgYDVQQFEyNQSUQ6V1MtQzI5NjBYLTQ4VFMtTCBTTjpG
T0MxNzI4VzI1UzEOMAwGA1UEChMFQ2lzY28xGDAWBgNVBAsTD0FDVC0yIExpdGUg
U1VESTEbMBkGA1UEAxMSV1MtQzI5NjBYLTQ4VFMtTCAgMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAputJ8j29wJubV2yFF1wL+4ynVspW/8dLqZKECAfp
NafvKXLlnd5cVleq7H8A4e7o4mHwmHsEmzfpfxbDnSppuhnHeoEJYY6FH4tCXrF3
s4Dg7SA8zpVGOWFVo4oeCCh+nnrq/avCsSW7tWm0brc9RgL2yf6RrdkmdQYiDvcd
ruw7WbCj/IrfEBTaIosgLWfKhR5YNlQLJTfvLC92+osCXLqXGi4+o3/iMgg82ngH
jkQmiBLWQL5bpGEQ4xHwfEgHhFMzqhEFUPZseCEJKiVkXIRB9jwQQvqkkhirORgB      >>> Certificate 3
5obLVsxKFDz9l2SEeewyO/fA/ZwkbjHqULYb8VroJ4PvnwIDAQABo28wbTAOBgNV
HQ8BAf8EBAMCBeAwDAYDVR0TAQH/BAIwADBNBgNVHREERjBEoEIGCSsGAQQBCRUC
A6A1EzNDaGlwSUQ9VVFJVFVJVWpDUUt2QUFBQU0vZXFZaUF5TWlBeE16b3lOVG95
TXlCeEVxWT0wDQYJKoZIhvcNAQELBQADggEBABUb8ooyQSlPzeGllmnSFq+Riv4L
4OhNYozVxOpSThzlF07c/ql3OilTGfYA/M3VePizgYUC4q2b0jhiwz25WH9ocaO2
MWXunq8yaUIdtI/PWAAUSx3G//OkA0rCixDMg0BoHghAha2xHA+kkPNX7Gm7os34
g6BWgT+Ds8smje0mHfUcWH7HCFJgk/8GePfPGy7H5se5A2W6ZdZzuy46vReqmAL1
3pTQAepD2lkgkgBOJP9e02FQ+l+QHpaaCyx/L5pkUF7a5d6/ew7KgB5DsljNe/8x
N2N6H8KrEJuZWLxbfFwsziFuya2Rd5jxZYbvYVa7D7fsrNOpnXF7RWSCFPc=
-----END CERTIFICATE-----
Signature version: 1
Signature:

3453E7DFBC4942548A52876994D95B69089B6B6C9561878F553D009A2B60BDFE661515C69DCAE12A2966792A730C1E054E329851DA9BD97E4EC1332B8567E97122B4C8F7AE455B768C37DABD5F2149CB2D188A85A82F9C97075ECE374DDF1C38DD2688A3D008AA0047314196A4B3A46DA85B59A85A8369AE2F9EE054548B6AC3E91654F75256E216A8FD37DD8739015914912BE66D1768619880E121FA738A1003E2A731E9CF888C562F0E903351E86F1D901066DC83DA9C61A05BC5BF77E0D370E3B2A483AFB0589DB9149862C7A5CC12ACF8C758AA878905EB2D9F693681A694B2520320F0A65FEF7D643268300C129D28168147D518361251CE759162CA95

Step 2. Verify the X.509v3 Certificates

The result of SUDI verification contains three X.509v3 certificates - Certficate 1, Certificate 2, and Certificate 3 in the previous sample output.

Certificate 1 is the Cisco Root Certificate Authority (CA) certificate and Certificate 2 is the signing SUDI CA certificate. In order to verify the certificates, download the official X.509v3 certificates - Cisco Root CA 2048 (crca2048) - PEM and ACT2 SUDI CA - PEM from the Cisco PKI website and compare them with the ones listed in the SUDI verification (show platform sudi certificate sign nonce [nonce command) output.

• Certificate 1 from the device output should match with Cisco Root CA 2048 (crca2048) - PEM downloaded from the website.

• Certificate 2 from the device output should match with ACT2 SUDI CA - PEM downloaded from the website.

Optional Step: Additionally, the openssl command can be used to extract the certificate type from the Subject line in the certificate. Refer to this sample output:

Sample Output:

ubuntu$ openssl x509 -noout -subject
-----BEGIN CERTIFICATE-----
MIIDQzCCAiugAwIBAgIQX/h7KCtU3I1CoxW1aMmt/zANBgkqhkiG9w0BAQUFADA1
MRYwFAYDVQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENB
IDIwNDgwHhcNMDQwNTE0MjAxNzEyWhcNMjkwNTE0MjAyNTQyWjA1MRYwFAYDVQQK
Ew1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgwggEg
MA0GCSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQCwmrmrp68Kd6ficba0ZmKUeIhH
xmJVhEAyv8CrLqUccda8bnuoqrpu0hWISEWdovyD0My5jOAmaHBKeN8hF570YQXJ
FcjPFto1YYmUQ6iEqDGYeJu5Tm8sUxJszR2tKyS7McQr/4NEb7Y9JHcJ6r8qqB9q
VvYgDxFUl4F1pyXOWWqCZe+36ufijXWLbvLdT6ZeYpzPEApk0E5tzivMW/VgpSdH
jWn0f84bcN5wGyDWbs2mAag8EtKpP6BrXruOIIt6keO1aO6g58QBdKhTCytKmg9l
Eg6CTY5j/e/rmxrbU6YTYK/CfdfHbBcl1HP7R2RQgYCUTOG/rksc35LtLgXfAgED
o1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJ/PI
FR5umgIJFq0roIlgX9p7L6owEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEF
BQADggEBAJ2dhISjQal8dwy3U8pORFBi71R803UXHOjgxkhLtv5MOhmBVrBW7hmW
Yqpao2TB9k5UM8Z3/sUcuuVdJcr18JOagxEu5sv4dEX+5wW4q+ffy0vhN4TauYuX
cB7w4ovXsNgOnbFp1iqRe6lJT37mjpXYgyc81WhJDtSd9i7rp77rMKSsH0T8lasz
Bvt9YAretIpjsJyp8qS5UwGH0GikJ3+r/+n6yUA4iGe0OcaEb1fJU9u6ju7AQ7L4
CYNu/2bPPu8Xs1gYJQk0XuPL1hS27PKSb3TkL4Eq1ZKR4OCXPDJoBYVL0fdX4lId
kxpUnwVwwEpxYB5DC2Ae/qPOgRnhCzU=
-----END CERTIFICATE-----
subject=O = Cisco Systems, CN = Cisco Root CA 2048
ubuntu$ openssl x509 -noout -subject
-----BEGIN CERTIFICATE-----
MIIEPDCCAySgAwIBAgIKYQlufQAAAAAADDANBgkqhkiG9w0BAQUFADA1MRYwFAYD
VQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgw
HhcNMTEwNjMwMTc1NjU3WhcNMjkwNTE0MjAyNTQyWjAnMQ4wDAYDVQQKEwVDaXNj
bzEVMBMGA1UEAxMMQUNUMiBTVURJIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA0m5l3THIxA9tN/hS5qR/6UZRpdd+9aE2JbFkNjht6gfHKd477AkS
5XAtUs5oxDYVt/zEbslZq3+LR6qrqKKQVu6JYvH05UYLBqCj38s76NLk53905Wzp
9pRcmRCPuX+a6tHF/qRuOiJ44mdeDYZo3qPCpxzprWJDPclM4iYKHumMQMqmgmg+
xghHIooWS80BOcdiynEbeP5rZ7qRuewKMpl1TiI3WdBNjZjnpfjg66F+P4SaDkGb
BXdGj13oVeF+EyFWLrFjj97fL2+8oauV43Qrvnf3d/GfqXj7ew+z/sXlXtEOjSXJ
URsyMEj53Rdd9tJwHky8neapszS+r+kdVQIDAQABo4IBWjCCAVYwCwYDVR0PBAQD
AgHGMB0GA1UdDgQWBBRI2PHxwnDVW7t8cwmTr7i4MAP4fzAfBgNVHSMEGDAWgBQn
88gVHm6aAgkWrSugiWBf2nsvqjBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vd3d3
LmNpc2NvLmNvbS9zZWN1cml0eS9wa2kvY3JsL2NyY2EyMDQ4LmNybDBQBggrBgEF
BQcBAQREMEIwQAYIKwYBBQUHMAKGNGh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3Vy
aXR5L3BraS9jZXJ0cy9jcmNhMjA0OC5jZXIwXAYDVR0gBFUwUzBRBgorBgEEAQkV
AQwAMEMwQQYIKwYBBQUHAgEWNWh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5
L3BraS9wb2xpY2llcy9pbmRleC5odG1sMBIGA1UdEwEB/wQIMAYBAf8CAQAwDQYJ
KoZIhvcNAQEFBQADggEBAGh1qclr9tx4hzWgDERm371yeuEmqcIfi9b9+GbMSJbi
ZHc/CcCl0lJu0a9zTXA9w47H9/t6leduGxb4WeLxcwCiUgvFtCa51Iklt8nNbcKY
/4dw1ex+7amATUQO4QggIE67wVIPu6bgAE3Ja/nRS3xKYSnj8H5TehimBSv6TECi
i5jUhOWryAK4dVo8hCjkjEkzu3ufBTJapnv89g9OE+H3VKM4L+/KdkUO+52djFKn
hyl47d7cZR4DY4LIuFM2P1As8YyjzoNpK/urSRI14WdIlplR1nH7KNDl5618yfVP
0IFJZBGrooCRBjOSwFv8cpWCbmWdPaCQT2nwIjTfY8c=
-----END CERTIFICATE-----
subject=O = Cisco, CN = ACT2 SUDI CA

Step 3. Verify the Device Identity

The third X.509v3 certificate (Certificate 3 in the sample output) in the result of SUDI verification is the SUDI certificate. It is important to confirm the device identity specified in this certificate which should match the device information.

The openssl command can be used to extract the device ID (Product ID (PID) and Serial Number (SN)) from the Subject line in the SUDI certificate.

Sample Output:

ubuntu$ openssl x509 -noout -subject
-----BEGIN CERTIFICATE-----
MIIDiDCCAnCgAwIBAgIDAbx3MA0GCSqGSIb3DQEBCwUAMCcxDjAMBgNVBAoTBUNp
c2NvMRUwEwYDVQQDEwxBQ1QyIFNVREkgQ0EwHhcNMTMwNzEyMjExMTE1WhcNMjMw
NzEyMjExMTE1WjB1MSwwKgYDVQQFEyNQSUQ6V1MtQzI5NjBYLTQ4VFMtTCBTTjpG
T0MxNzI4VzI1UzEOMAwGA1UEChMFQ2lzY28xGDAWBgNVBAsTD0FDVC0yIExpdGUg
U1VESTEbMBkGA1UEAxMSV1MtQzI5NjBYLTQ4VFMtTCAgMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAputJ8j29wJubV2yFF1wL+4ynVspW/8dLqZKECAfp
NafvKXLlnd5cVleq7H8A4e7o4mHwmHsEmzfpfxbDnSppuhnHeoEJYY6FH4tCXrF3
s4Dg7SA8zpVGOWFVo4oeCCh+nnrq/avCsSW7tWm0brc9RgL2yf6RrdkmdQYiDvcd
ruw7WbCj/IrfEBTaIosgLWfKhR5YNlQLJTfvLC92+osCXLqXGi4+o3/iMgg82ngH
jkQmiBLWQL5bpGEQ4xHwfEgHhFMzqhEFUPZseCEJKiVkXIRB9jwQQvqkkhirORgB
5obLVsxKFDz9l2SEeewyO/fA/ZwkbjHqULYb8VroJ4PvnwIDAQABo28wbTAOBgNV
HQ8BAf8EBAMCBeAwDAYDVR0TAQH/BAIwADBNBgNVHREERjBEoEIGCSsGAQQBCRUC
A6A1EzNDaGlwSUQ9VVFJVFVJVWpDUUt2QUFBQU0vZXFZaUF5TWlBeE16b3lOVG95
TXlCeEVxWT0wDQYJKoZIhvcNAQELBQADggEBABUb8ooyQSlPzeGllmnSFq+Riv4L
4OhNYozVxOpSThzlF07c/ql3OilTGfYA/M3VePizgYUC4q2b0jhiwz25WH9ocaO2
MWXunq8yaUIdtI/PWAAUSx3G//OkA0rCixDMg0BoHghAha2xHA+kkPNX7Gm7os34
g6BWgT+Ds8smje0mHfUcWH7HCFJgk/8GePfPGy7H5se5A2W6ZdZzuy46vReqmAL1
3pTQAepD2lkgkgBOJP9e02FQ+l+QHpaaCyx/L5pkUF7a5d6/ew7KgB5DsljNe/8x
N2N6H8KrEJuZWLxbfFwsziFuya2Rd5jxZYbvYVa7D7fsrNOpnXF7RWSCFPc=
-----END CERTIFICATE-----
subject=serialNumber = PID:WS-C2960X-48TS-L SN:XXXXXXXXXXX, O = Cisco, OU = ACT-2 Lite SUDI, CN = "WS-C2960X-48TS-L  "

This is an example of what might be found, when you search the SN and PID, in the output of the show version CLI command.

Switch#show version
<<output snipped>>

Model revision number           : V01 
Motherboard revision number     : A0 
Model number                    : WS-C2960X-48TS-L
Daughterboard assembly number   : 73-14200-03
Daughterboard serial number     : YYYYYYYYYYY
System serial number            : XXXXXXXXXXX

The device identity (PID and SN) extracted from the SUDI certificate and the output of the show version CLI command should match.

If you detect any mismatch in the outputs from Step 2 and Step 3, contact the Technical Assistance Center (TAC) if the product is under support. If the product is not under support, fill out the Brand Protection form and our team will be in touch. They will further guide you with the counterfeit detection process.

Customers can submit their Cisco products for verification at the Cisco Buy Right Portal which offers a complimentary serial number validation on the status of products. See Buy Right–Buy Authorized Cisco for more information.

Customers can also check the labels in order to determine if a Cisco product is genuine. Cisco’s Identity Counterfeit Platform provides a means to identify key security features on the Carton Security, Printed Circuit Board Assembly (PCBA), and Module Security labels. For more information, see Identify Counterfeit and Pirated Products.

In order to learn more, see Brand Protection.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

• Open a service request on Cisco.com
• By email or telephone

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.