The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes options to prevent, workaround, and recover from cable modem (CM) reject(pk) service impacts on the cBR-8 Cable Modem Termination System (CMTS) that result from Manufacturer Certificate (Manu Cert) expiration.
There are different causes for a CM to become stuck in the reject(pk) state on the cBR-8. One cause is expiration of the Manu Cert. The Manu Cert is used for authentication between a CM and CMTS. In this document, a Manu Cert is what the DOCSIS 3.0 Security Specification CM-SP-SECv3.0 refers to as CableLabs Mfg CA certificate or Manufacturer CA certificate. Expire means the cBR-8 system date/time exceeds the Manu Cert validity end date/time.
A CM that attempts to register with the cBR-8 after the Manu Cert expires is marked reject(pk) by the CMTS and is not in service. A CM already registered with the cBR-8 and in service when the Manu Cert expires can remain in service until the next time the CM attempts to register, which can occur after a single CM offline event, cBR-8 Cable Linecard restart, cBR-8 reload, or other event triggers CM registration. At that time the CM fails authentication, is marked reject(pk) by the cBR-8, and is not in service.
The information in this document expands upon and reformats content published in the Cable Modems and Expiring Manufacturer Certificates in cBR-8 Product Bulletin.
Note: Cisco bug ID CSCvv21785; In some versions of Cisco IOS XE, this bug causes a trusted Manu Cert to fail validation after a cBR-8 reload. In some cases the Manu Cert is present but no longer in the trusted state. In that case, the Manu Cert trust state can be changed to trusted with steps described in this document. If the Manu Cert is not present in the output of the show cable privacy manufacturer-cert-list command, the Manu Cert can be re-added manually or by AuthInfo with steps described in this document.
Manu Cert information can be viewed via cBR-8 CLI commands or Simple Network Management Protocol (SNMP) commands from a remote device. The cBR-8 CLI also supports SNMP set, get and get-bulk commands. These commands and information are used by solutions described in this document.
Manu Cert information can be viewed with these cBR-8 CLI commands.
These Cisco IOSĀ® XE SNMP commands are used from the cBR-8 CLI to get and set SNMP OIDs.
These cBR-8 cable interface configuration commands are used for workarounds and recovery described in the Solution section of this document.
Manu Cert information is defined in the docsBpi2CmtsCACertEntry OID branch 1.3.6.1.2.1.10.127.6.1.2.5.2.1, described in the SNMP Object Navigator.
Relevant SNMP OIDs
docsBpi2CmtsCACertSubject 1.3.6.1.2.1.10.127.6.1.2.5.2.1.2
docsBpi2CmtsCACertIssuer 1.3.6.1.2.1.10.127.6.1.2.5.2.1.3
docsBpi2CmtsCACertSerialNumber 1.3.6.1.2.1.10.127.6.1.2.5.2.1.4
docsBpi2CmtsCACertTrust 1.3.6.1.2.1.10.127.6.1.2.5.2.1.5
docsBpi2CmtsCACertSource 1.3.6.1.2.1.10.127.6.1.2.5.2.1.6
docsBpi2CmtsCACertStatus 1.3.6.1.2.1.10.127.6.1.2.5.2.1.7
docsBpi2CmtsCACert 1.3.6.1.2.1.10.127.6.1.2.5.2.1.8
In command examples, ellipsis (...) indicate some information has been omitted for readability.
CM firmware update is the best long-term solution. Workarounds described in this document permit CMs with expired Manu Certs to register and remain online with the cBR-8, but these workarounds are only recommended for short-term use. If a CM firmware update is not an option, a CM replacement strategy is a good long-term solution from a security and operations perspective. The solutions described here address different conditions or scenarios and can be used individually or, some, in combination with each other;
Permit Expired CM Certs and Manu Certs to be Added by AuthInfo with a cBR-8 CLI Command
Note: If BPI is removed, this disables encryption and authentication, which minimizes the viability of that as a workaround.
In many instances, CM manufacturers provide CM firmware updates that extend the validity end date of the Manu Cert. This solution is the best option and, when performed before a Manu Cert expires, prevents related service impacts. CMs load the new firmware and re-register with new Manu Certs and CM Certs. The new certificates can authenticate properly and the CMs can successfully register with the cBR-8. The new Manu Cert and CM Cert can create a new certificate chain back to the known Root Certificate already installed in the cBR-8.
When a CM firmware update is unavailable due to a CM Manufacturer gone out of business, no further support for a CM model, and so on, Manu Certs already known on the cBR-8 with validity end dates in the near future can be proactively marked trusted in the cBR-8 prior to the validity end date. The cBR-8 CLI commands and SNMP are used to identify Manu Cert information such as serial number and trust state, and SNMP is used to set the Manu Cert trust state to trusted in the cBR-8, which allows associated CMs to register and remain in service.
Known Manu Certs for currently in-service and online CMs are typically learned by the cBR-8 from a CM through the DOCSIS Baseline Privacy Interface (BPI) protocol. The AuthInfo message sent from the CM to the cBR-8 contains the Manu Cert. Each unique Manu Cert is stored in cBR-8 memory and its information can be viewed by cBR-8 CLI commands and SNMP.
When the Manu Cert is marked as trusted, that does two important things. First, it allows the cBR-8 BPI software to ignore the expired validity date. Second, it stores the Manu Cert as trusted in the cBR-8 NVRAM. This preserves the Manu Cert state across a cBR-8 reload and eliminates the need to repeat this procedure in the event of a cBR-8 reload.
The CLI and SNMP command examples demonstrate how to identify a Manu Cert index, serial number, and trust state; then use that information to change the trust state to trusted. The examples focus on the Manu Cert with Index 4 and Serial Number 437498F09A7DCBC1FA7AA101FE976E40.
In this example the cBR-8 CLI command show cable privacy manufacturer-cert-list is used.
CBR8-1#show cable privacy manufacturer-cert-list
Cable Manufacturer Certificates:
Index: 4
Issuer: cn=DOCSIS Cable Modem Root Certificate Authority,ou=Cable Modems,o=Data Over Cable Service Interface Specifications,c=US
Subject: cn=Motorola Corporation Cable Modem Root Certificate Authority,ou=ASG,ou=DOCSIS,l=San Diego,st=California,o=Motorola Corporation,c=US
State: Chained
Source: Auth Info
RowStatus: Active
Serial: 437498F09A7DCBC1FA7AA101FE976E40
Thumbprint: FA07609998FDCAFA8F80D87F1ACFC70E6C52C80F
Fingerprint: 0EABDBD19D8898CA9C720545913AB93B
Index: 5
Issuer: cn=CableLabs Root Certification Authority,ou=Root CA01,o=CableLabs,c=US
Subject: cn=CableLabs Device Certification Authority,ou=Device CA01,o=CableLabs,c=US
State: Chained
Source: Auth Info
RowStatus: Active
Serial: 701F760559283586AC9B0E2666562F0E
Thumbprint: E85319D1E66A8B5B2BF7E5A7C1EF654E58C78D23
Fingerprint: 15C18A9D6584D40E88D50D2FF4936982
In this example the cBR-8 CLI command snmp get-bulk is used. Cert Indices 4 & 5 are the Manu Certs stored in the CMTS memory. Indices 1, 2, and 3 are Root Certificates. Root Certificates are not the concern here as their expiration dates are much longer.
docsBpi2CmtsCACertSubject
CBR8-1#snmp get-bulk v2c 192.168.1.1 vrf Mgmt-intf private non-repeaters 0 max-repetitions 5 oid 1.3.6.1.2.1.10.127.6.1.2.5.2.1.2
SNMP Response: reqid 1752673, errstat 0, erridx 0
docsBpi2CmtsCACertSubject.1 = Data Over Cable Service Interface Specifications
docsBpi2CmtsCACertSubject.2 = tComLabs - Euro-DOCSIS
docsBpi2CmtsCACertSubject.3 = CableLabs
docsBpi2CmtsCACertSubject.4 = Motorola
docsBpi2CmtsCACertSubject.5 = CableLabs
docsBpi2CmtsCACertIssuer
CBR8-1#snmp get-bulk v2c 192.168.1.1 vrf Mgmt-intf private non-repeaters 0 max-repetitions 5 oid 1.3.6.1.2.1.10.127.6.1.2.5.2.1.3
SNMP Response: reqid 1752746, errstat 0, erridx 0
docsBpi2CmtsCACertIssuer.1 = DOCSIS Cable Modem Root Certificate Authority
docsBpi2CmtsCACertIssuer.2 = Euro-DOCSIS Cable Modem Root CA
docsBpi2CmtsCACertIssuer.3 = CableLabs Root Certification Authority
docsBpi2CmtsCACertIssuer.4 = DOCSIS Cable Modem Root Certificate Authority
docsBpi2CmtsCACertIssuer.5 = CableLabs Root Certification Authority
CBR8-1#snmp get-bulk v2c 192.168.1.1 vrf Mgmt-intf private non-repeaters 0 max-repetitions 5 oid 1.3.6.1.2.1.10.127.6.1.2.5.2.1.4
SNMP Response: reqid 2300780, errstat 0, erridx 0
docsBpi2CmtsCACertSerialNumber.1 =
58 53 64 87 28 A4 4D C0 33 5F 0C DB 33 84 9C 19
docsBpi2CmtsCACertSerialNumber.2 =
63 4B 59 63 79 0E 81 0F 3B 54 45 B3 71 4C F1 2C
docsBpi2CmtsCACertSerialNumber.3 =
62 97 48 CA C0 A6 0D CB D0 FF A8 91 40 D8 D7 61
docsBpi2CmtsCACertSerialNumber.4 =
43 74 98 F0 9A 7D CB C1 FA 7A A1 01 FE 97 6E 40
docsBpi2CmtsCACertSerialNumber.5 =
70 1F 76 05 59 28 35 86 AC 9B 0E 26 66 56 2F 0E
docsBpi2CmtsCACertTrust
CBR8-1#snmp get-bulk v2c 192.168.1.1 vrf Mgmt-intf private non-repeaters 0 max-repetitions 5 oid 1.3.6.1.2.1.10.127.6.1.2.5.2.1.5
SNMP Response: reqid 1752778, errstat 0, erridx 0
docsBpi2CmtsCACertTrust.1 = 4
docsBpi2CmtsCACertTrust.2 = 4
docsBpi2CmtsCACertTrust.3 = 4
docsBpi2CmtsCACertTrust.4 = 3 (3 = chained)
docsBpi2CmtsCACertTrust.5 = 3
docsBpi2CmtsCACertSource
CBR8-1#snmp get-bulk v2c 192.168.1.1 vrf Mgmt-intf private non-repeaters 0 max-repetitions 5 oid 1.3.6.1.2.1.10.127.6.1.2.5.2.1.6
SNMP Response: reqid 1752791, errstat 0, erridx 0
docsBpi2CmtsCACertSource.1 = 4
docsBpi2CmtsCACertSource.2 = 4
docsBpi2CmtsCACertSource.3 = 4
docsBpi2CmtsCACertSource.4 = 5 (5 = authentInfo)
docsBpi2CmtsCACertSource.5 = 5
docsBpi2CmtsCACertStatus
CBR8-1#snmp get-bulk v2c 10.122.151.12 vrf Mgmt-intf Cisco123 non-repeaters 0 max-repetitions 5 oid 1.3.6.1.2.1.10.127.6.1.2.5.2.1.7
SNMP Response: reqid 1752804, errstat 0, erridx 0
docsBpi2CmtsCACertStatus.1 = 1
docsBpi2CmtsCACertStatus.2 = 1
docsBpi2CmtsCACertStatus.3 = 1
docsBpi2CmtsCACertStatus.4 = 1 (1 = active)
docsBpi2CmtsCACertStatus.5 = 1
The remote device SNMP examples in this document use SNMP commands from a remote Ubuntu Linux server. Specific SNMP commands and formats depend on the device and operating system used to execute the SNMP commands.
docsBpi2CmtsCACertSubject
jdoe@server1:~$ snmpwalk -v 2c -c private 192.168.1.1 1.3.6.1.2.1.10.127.6.1.2.5.2.1.2
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.2.1 = STRING: "Data Over Cable Service Interface Specifications"
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.2.2 = STRING: "tComLabs - Euro-DOCSIS"
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.2.3 = STRING: "CableLabs"
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.2.4 = STRING: "Motorola Corporation"
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.2.5 = STRING: "CableLabs"
docsBpi2CmtsCACertIssuer
jdoe@server1:~$ snmpwalk -v 2c -c private 192.168.1.1 1.3.6.1.2.1.10.127.6.1.2.5.2.1.3
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.3.1 = STRING: "DOCSIS Cable Modem Root Certificate Authority"
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.3.2 = STRING: "Euro-DOCSIS Cable Modem Root CA"
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.3.3 = STRING: "CableLabs Root Certification Authority"
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.3.4 = STRING: "DOCSIS Cable Modem Root Certificate Authority"
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.3.5 = STRING: "CableLabs Root Certification Authority"
docsBpi2CmtsCACertSerialNumber
jdoe@server1:~$ snmpwalk -v 2c -c private 192.168.1.1 1.3.6.1.2.1.10.127.6.1.2.5.2.1.4
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.4.1 = Hex-STRING: 58 53 64 87 28 A4 4D C0 33 5F 0C DB 33 84 9C 19
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.4.2 = Hex-STRING: 63 4B 59 63 79 0E 81 0F 3B 54 45 B3 71 4C F1 2C
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.4.3 = Hex-STRING: 62 97 48 CA C0 A6 0D CB D0 FF A8 91 40 D8 D7 61
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.4.4 = Hex-STRING: 43 74 98 F0 9A 7D CB C1 FA 7A A1 01 FE 97 6E 40
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.4.5 = Hex-STRING: 70 1F 76 05 59 28 35 86 AC 9B 0E 26 66 56 2F 0E
docsBpi2CmtsCACertTrust
jdoe@server1:~$ snmpwalk -v 2c -c private 192.168.1.1 1.3.6.1.2.1.10.127.6.1.2.5.2.1.5
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.5.1 = INTEGER: 4
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.5.2 = INTEGER: 4
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.5.3 = INTEGER: 4
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.5.4 = INTEGER: 3 (3 = chained)
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.5.5 = INTEGER: 3
docsBpi2CmtsCACertSource
jdoe@server1:~$ snmpwalk -v 2c -c private 192.168.1.1 1.3.6.1.2.1.10.127.6.1.2.5.2.1.6
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.6.1 = INTEGER: 4
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.6.2 = INTEGER: 4
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.6.3 = INTEGER: 4
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.6.4 = INTEGER: 5 (5 = authentInfo)
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.6.5 = INTEGER: 5
docsBpi2CmtsCACertStatus
jdoe@server1:~$ snmpwalk -v 2c -c private 192.168.1.1 1.3.6.1.2.1.10.127.6.1.2.5.2.1.7
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.7.1 = INTEGER: 1
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.7.2 = INTEGER: 1
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.7.3 = INTEGER: 1
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.7.4 = INTEGER: 1 (1 = active)
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.7.5 = INTEGER: 1
Use the cBR-8 linecard CLI command show crypto pki certificates to identify the Manu Cert validity end date. This command output does not include the Manu Cert Index. The Certificate Serial Number can be used to correlate Manu Cert information learned from this command with the Manu Cert information learned from SNMP.
CBR8-1#request platform software console attach
request platform software console attach 6/0
#
# Connecting to the CLC console on 6/0.
# Enter Control-C to exit the console connection.
#
Slot-6-0>enable
Slot-6-0#show crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number (hex): 701F760559283586AC9B0E2666562F0E Certificate Usage: Signature
Issuer:
cn=CableLabs Root Certification Authority
ou=Root CA01
o=CableLabs
c=US
Subject:
cn=CableLabs Device Certification Authority
ou=Device CA01
o=CableLabs
c=US
Validity Date:
start date: 00:00:00 GMT Oct 28 2014
end date: 23:59:59 GMT Oct 27 2049
Associated Trustpoints: e85319d1e66a8b5b2bf7e5a7c1ef654e58c78d23
CA Certificate
Status: Available
Certificate Serial Number (hex): 437498F09A7DCBC1FA7AA101FE976E40
Certificate Usage: Signature
Issuer:
cn=DOCSIS Cable Modem Root Certificate Authority
ou=Cable Modems
o=Data Over Cable Service Interface Specifications
c=US
Subject:
cn=Motorola Corporation Cable Modem Root Certificate Authority
ou=ASG
ou=DOCSIS
l=San Diego
st=California
o=Motorola Corporation
c=US
Validity Date:
start date: 00:00:00 GMT Jul 11 2001
end date: 23:59:59 GMT Jul 10 2021
Associated Trustpoints: fa07609998fdcafa8f80d87f1acfc70e6c52c80f
CA Certificate
Status: Available
Certificate Serial Number (hex): 629748CAC0A60DCBD0FFA89140D8D761
Certificate Usage: Signature
Issuer:
cn=CableLabs Root Certification Authority
ou=Root CA01
o=CableLabs
c=US
Subject:
cn=CableLabs Root Certification Authority
ou=Root CA01
o=CableLabs
c=US
Validity Date:
start date: 00:00:00 GMT Oct 28 2014
end date: 23:59:59 GMT Oct 27 2064
Associated Trustpoints: DOCSIS-D31-TRUSTPOINT
CA Certificate
Status: Available
Certificate Serial Number (hex): 634B5963790E810F3B5445B3714CF12C
Certificate Usage: Signature
Issuer:
cn=Euro-DOCSIS Cable Modem Root CA
ou=Cable Modems
o=tComLabs - Euro-DOCSIS
c=BE Subject:
cn=Euro-DOCSIS Cable Modem Root CA
ou=Cable Modems
o=tComLabs - Euro-DOCSIS
c=BE
Validity Date:
start date: 00:00:00 GMT Sep 21 2001
end date: 23:59:59 GMT Sep 20 2031
Associated Trustpoints: DOCSIS-EU-TRUSTPOINT
CA Certificate
Status: Available
Certificate Serial Number (hex): 5853648728A44DC0335F0CDB33849C19
Certificate Usage: Signature
Issuer:
cn=DOCSIS Cable Modem Root Certificate Authority
ou=Cable Modems
o=Data Over Cable Service Interface Specifications
c=US
Subject:
cn=DOCSIS Cable Modem Root Certificate Authority
ou=Cable Modems
o=Data Over Cable Service Interface Specifications
c=US
Validity Date:
start date: 00:00:00 GMT Feb 1 2001
end date: 23:59:59 GMT Jan 31 2031
Associated Trustpoints: DOCSIS-US-TRUSTPOINT
The examples show the trust state changed from chained to trusted for the Manu Cert with Index = 4 and Serial Number = 437498f09a7dcbc1fa7aa101fe976e40
OID: docsBpi2CmtsCACertTrust 1.3.6.1.2.1.10.127.6.1.2.5.2.1.5 values:
1 : trusted
2 : untrusted
3 : chained
4 : root
This example shows the cBR-8 CLI snmp-set command used to change the trust state
CBR8-1#snmp set v2c 192.168.1.1 vrf Mgmt-intf private oid 1.3.6.1.2.1.10.127.6.1.2.5.2.1.5.4 integer 1
SNMP Response: reqid 2305483, errstat 0, erridx 0
docsBpi2CmtsCACertTrust.4 = 1 (1 = trusted)
This example shows a remote device use SNMP to change the trust state
jdoe@server1:~$ snmpset -v 2c -c private 192.168.1.1 1.3.6.1.2.1.10.127.6.1.2.5.2.1.5.4 i 1
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.5.4 = INTEGER: 1 (1 = trusted)
This example shows the cBR-8 CLI command used to confirm the changes
CBR8-1#show cable privacy manufacturer-cert-list
Cable Manufacturer Certificates:
...
Index: 4
Issuer: cn=DOCSIS Cable Modem Root Certificate Authority,ou=Cable Modems,o=Data Over Cable Service Interface Specifications,c=US
Subject: cn=Motorola Corporation Cable Modem Root Certificate Authority,ou=ASG,ou=DOCSIS,l=San Diego,st=California,o=Motorola Corporation,c=US
State: Trusted
Source: SNMP
RowStatus: Active
Serial: 437498F09A7DCBC1FA7AA101FE976E40
Thumbprint: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
Fingerprint: D41D8CD98F00B204E9800998ECF8427E
...
This example shows a remote device use SNMP to confirm the changes
jdoe@server1:~$ snmpget -v 2c -c private 192.168.1.1 1.3.6.1.2.1.10.127.6.1.2.5.2.1.5.4
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.5.4 = INTEGER: 1 (1 = trusted)
jdoe@server1:~$ snmpget -v 2c -c private 192.168.1.1 1.3.6.1.2.1.10.127.6.1.2.5.2.1.6.4
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.6.4 = INTEGER: 1 (1 = snmp)
A previously known Manu Cert is a certificate already present in the cBR-8 database, typically as a result of AuthInfo messages from previous CM registration. If a Manu Cert is not marked trusted and expires, any CM that uses the expired Manu Cert and goes offline cannot re-register and is marked as reject(pk). This section describes how to recover from this condition and allow CMs with expired Manu Certs to register and remain in service.
When CMs fail to come online and are marked reject(pk) as a result of expired Manu Certs, a syslog message is generated and contains the CM MAC Address and the expired Manu Cert Serial Number.
CLC 6/0: Jan 11 17:36:07.094: %CBR-3-MANUFACTURE_CA_CM_CERTIFICATE_FORMAT_ERROR: <133>CMTS[DOCSIS]: CM MAC Addr <1234.5678.9ABC> on Interface Cable6/0/0 U1 : Manu Cert S/N 437498F09A7DCBC1FA7AA101FE976E40 has Expired
This example shows the cBR-8 CLI SNMP commands used to identify the index for the Manu Cert serial number from the log message, which is then used to set the Manu Cert trust state to trusted.
CBR8-1#snmp get-bulk v2c 192.168.1.1 vrf Mgmt-intf private non-repeaters 0 max-repetitions 5 oid 1.3.6.1.2.1.10.127.6.1.2.5.2.1.4
SNMP Response: reqid 2351849, errstat 0, erridx 0
docsBpi2CmtsCACertSerialNumber.1 =
58 53 64 87 28 A4 4D C0 33 5F 0C DB 33 84 9C 19
docsBpi2CmtsCACertSerialNumber.2 =
63 4B 59 63 79 0E 81 0F 3B 54 45 B3 71 4C F1 2C
docsBpi2CmtsCACertSerialNumber.3 =
62 97 48 CA C0 A6 0D CB D0 FF A8 91 40 D8 D7 61
docsBpi2CmtsCACertSerialNumber.4 =
43 74 98 F0 9A 7D CB C1 FA 7A A1 01 FE 97 6E 40
docsBpi2CmtsCACertSerialNumber.5 =
70 1F 76 05 59 28 35 86 AC 9B 0E 26 66 56 2F 0E
CBR8-1#snmp set v2c 192.168.1.1 vrf Mgmt-intf private oid 1.3.6.1.2.1.10.127.6.1.2.5.2.1.5.4 integer 1
SNMP Response: reqid 2353143, errstat 0, erridx 0
docsBpi2CmtsCACertTrust.4 = 1 (1 = trusted)
This examples shows a remote device use SNMP commands to identify the index for the Manu Cert serial number from the log message, which is then used to set the Manu Cert trust state to trusted.
jdoe@server1:~$ snmpwalk -v 2c -c private 192.168.1.1 1.3.6.1.2.1.10.127.6.1.2.5.2.1.4 | grep "43 74 98 F0 9A 7D CB C1 FA 7A A1 01 FE 97 6E 40"
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.4.4 = Hex-STRING: 43 74 98 F0 9A 7D CB C1 FA 7A A1 01 FE 97 6E 40
jdoe@server1:~$ snmpset -v 2c -c private 192.168.1.1 1.3.6.1.2.1.10.127.6.1.2.5.2.1.5.4 i 1
iso.3.6.1.2.1.10.127.6.1.2.5.2.1.5.4 = INTEGER: 1 (1 = trusted)
When an expired Manu Cert is not known to the cBR-8 it cannot be managed (marked trusted) prior to expiration and cannot be recovered. This happens when a CM that is previously unknown and not registered on a cBR-8 attempts to register with an unknown and expired Manu Cert. The Manu Cert must be added to the cBR-8 by SNMP from a remote device or use the cable privacy retain-failed-certificates cBR-8 cable interface configuration to permit an expired Manu Cert to be added by AuthInfo. The cBR-8 CLI SNMP commands cannot be used to add a certificate because the numer of characters in the certificate data exceeds the maximum characters accepted by the CLI. If a self-signed certificate is added, the cable privacy accept-self-signed-certificate command must be configured under the cBR-8 cable interface before the cBR-8 can accept the certificate.
Use these docsBpi2CmtsCACertTable OID values to add the Manu Cert as a new table entry. The hexadecimal value of the Manu Cert defined by the docsBpi2CmtsCACert OID can be learned with CA Certificate Dump steps described in the support article How to Decode DOCSIS Certificate for Modem Stuck State Diagnosis.
docsBpi2CmtsCACertStatus 1.3.6.1.2.1.10.127.6.1.2.5.2.1.7 (Set to 4 to create the row entry)
docsBpi2CmtsCACert 1.3.6.1.2.1.10.127.6.1.2.5.2.1.8 (The hexadecimal data, as an X509Certificate value, for the actual X.509 certificate)
docsBpi2CmtsCACertTrust 1.3.6.1.2.1.10.127.6.1.2.5.2.1.5 (Set to 1 to set the Manu Cert Trust state to trusted)
Use a unique index number for the added Manu Cert. The indices of Manu Certs already present on the cBR-8 can be checked with the show cable privacy manufacturer-cert-list command.
CBR8-2#show cable privacy manufacturer-cert-list | i Index
Index: 4
Index: 5
Index: 6
Index: 7
The examples in this section use an index value of 11 for the Manu Cert added to the cBR-8 database.
Tip: Always set the CertStatus attributes before the actual certificate data. Otherwise, the CMTS assumes the certificate is chained and immediately attempts to verify it with the manufacturers and root certificates.
Some operating systems cannot accept input lines that are as long as needed to input the hexadecimal data string that specifies a certificate. For this reason, a graphical SNMP manager can be used to set these attributes. For a number of certificates, a script file can be used, if more convenient.
This example shows a remote device use SNMP to add a Manu Cert certificate to the cBR-8. Most of the certificate data is ommitted for readability, indicated by elipses (...).
jdoe@server1:~$ snmpset -v 2c -c private 192.168.1.1 1.3.6.1.2.1.10.127.6.1.2.5.2.1.7.11 i 4 1.3.6.1.2.1.10.127.6.1.2.5.2.1.8.11 x "0x3082...38BD" 1.3.6.1.2.1.10.127.6.1.2.5.2.1.5.11 i 1
A Manu Cert typically enters the cBR-8 database by the BPI Protocol AuthInfo message sent to the cBR-8 from the CM. Each unique and valid Manu Cert received in an AuthInfo message is added to the database. If the Manu Cert is unknown to the CMTS (not in the database) and has expired validity dates, AuthInfo is rejected and the Manu Cert is not added to the cBR-8 database. An expired Manu Cert can be added to the CMTS by the AuthInfo exchange when the cable privacy retain-failed-certificates workaround configuration is present under the cBR-8 cable interface configuration. This allows the addition of the expired Manu Cert to the cBR-8 database as untrusted. In order to use the expired Manu Cert, SNMP must be used to mark it trusted. When the expired Manu Cert is added to the cBR-8 and marked trusted, removal of the cable privacy retain-failed-certificates configuration is recommended so additional, potentially unwanted, Manu Certs do not enter the system.
CBR8-1#config t
Enter configuration commands, one per line. End with CNTL/Z.
CBR8-1(config)#int Cable6/0/0
CBR8-1(config-if)#cable privacy retain-failed-certificates
CBR8-1(config-if)#end
An expired CM certificate can be added to the CMTS by the AuthInfo exchange when both the cable privacy retain-failed-certificates and cable privacy skip-validity-period commands are configured under each relevant cable interface. This causes the cBR-8 to ignore expired validity date checks for ALL CM and Manu Certs sent in the CM BPI AuthInfo message. When the expired CM and Manu Certs are added to the cBR-8 and marked trusted, removal of the described configuration is recommended so additional, potentially unwanted, Certs do not enter the system.
CBR8-1#config t
Enter configuration commands, one per line. End with CNTL/Z.
CBR8-1(config)#interface Cable6/0/0
CBR8-1(config-if)#cable privacy retain-failed-certificates
CBR8-1(config-if)#cable privacy skip-validity-period
CBR8-1(config-if)#end
CBR8-1#copy run start
The cable privacy retain-failed-certificates and cable privacy skip-validity-period configuration commands are used at the MAC Domain / cable interface level and are not restrictive. The retain-failed-certificates command can add any failed certificate to the cBR-8 database and skip-validity-period command can skip validity date checks on all Manu and CM certs.
An SNMP get for Cert data can return a NULL value if the Cert OctetString is larger than the SNMP packet size. A cBR-8 SNMP configuration can be used when large-sized certificates are used;
CBR8-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CBR8-1(config)#snmp-server packetsize 3000
CBR8-1(config)#end
CBR8-1#copy run start
Manu Cert debug on the cBR-8 is supported with the debug cable privacy ca-cert and debug cable mac-address <CM mac-address> commands. Additional debug information is explained in the support article How to Decode DOCSIS Certificate for Modem Stuck State Diagnosis. This includes CA Certificate Dump steps used to learn the hexadecimal value of a Manu Cert.
Revision | Publish Date | Comments |
---|---|---|
2.0 |
08-Dec-2021 |
Add note for Cisco bug ID CSCvv21785. Minor format changes. |
1.0 |
30-Nov-2021 |
Initial Release |