Field Notice: FN - 70573 - Cisco Secure Unique Device Identifier Certificate Expiration Impact On Internet of Things Products Managed by Cisco Field Network Director - Workaround Provided
Available Languages
Notice
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
09-Oct-20 |
Initial Release |
1.1 |
14-Oct-20 |
Updated the Workaround/Solution Section |
Products Affected
| Affected Product ID | Comments |
|---|---|
CGR1120/K9 |
Only when managed by Cisco FND |
CGR1240/K9 |
Only when managed by Cisco FND |
CGR1240/K9= |
Only when managed by Cisco FND |
IR809G-LTE-VZ-K9 |
Only when managed by Cisco FND |
IR809G-LTE-GA-K9 |
Only when managed by Cisco FND |
IR809G-LTE-NA-K9 |
Only when managed by Cisco FND |
IR809G-LTE-LA-K9 |
Only when managed by Cisco FND |
IR829-2LTE-EA-AK9 |
Only when managed by Cisco FND |
IR829-2LTE-EA-BK9 |
Only when managed by Cisco FND |
IR829-2LTE-EA-EK9 |
Only when managed by Cisco FND |
IR829B-2LTE-EA-AK9 |
Only when managed by Cisco FND |
IR829B-2LTE-EA-BK9 |
Only when managed by Cisco FND |
IR829B-2LTE-EA-EK9 |
Only when managed by Cisco FND |
IR829B-2LTE-EA-RK9 |
Only when managed by Cisco FND |
IR829B-LTE-EA-AK9 |
Only when managed by Cisco FND |
IR829B-LTE-EA-BK9 |
Only when managed by Cisco FND |
IR829B-LTE-EA-EK9 |
Only when managed by Cisco FND |
IR829B-LTE-EA-RK9 |
Only when managed by Cisco FND |
IR829GW-LTE-GA-CK9 |
Only when managed by Cisco FND |
IR829GW-LTE-GA-EK9 |
Only when managed by Cisco FND |
IR829GW-LTE-GA-SK9 |
Only when managed by Cisco FND |
IR829GW-LTE-GA-ZK9 |
Only when managed by Cisco FND |
IR829GW-LTE-LA-DK9 |
Only when managed by Cisco FND |
IR829GW-LTE-LA-FK9 |
Only when managed by Cisco FND |
IR829GW-LTE-LA-HK9 |
Only when managed by Cisco FND |
IR829GW-LTE-LA-KK9 |
Only when managed by Cisco FND |
IR829GW-LTE-LA-LK9 |
Only when managed by Cisco FND |
IR829GW-LTE-LA-NK9 |
Only when managed by Cisco FND |
IR509UWP-915/K9 |
Only when managed by Cisco FND |
IR510-OFDM-FCC/K9 |
Only when managed by Cisco FND |
IR529UBWP-915D/K9 |
Only when managed by Cisco FND |
IR529UBWP-915S/K9 |
Only when managed by Cisco FND |
IR529WP-915S/K9 |
Only when managed by Cisco FND |
IR529UWP-915D/K9 |
Only when managed by Cisco FND |
IR530SB-OFD-BRZ/K9 |
Only when managed by Cisco FND |
IR530SB-OFD-FCC/K9 |
Only when managed by Cisco FND |
IXM-LPWA-800-16-K9 |
Only when managed by Cisco FND |
IXM-LPWA-900-16-K9 |
Only when managed by Cisco FND |
IR1101 |
Only when managed by Cisco FND |
IR1101-A-K9 |
Only when managed by Cisco FND |
IR1101-K9 |
Only when managed by Cisco FND |
C819HG-S-K9 |
Only when managed by Cisco FND |
C819HG-V-K9 |
Only when managed by Cisco FND |
C819HGW+7-N-K9 |
Only when managed by Cisco FND |
C819HWD-E-K9 |
Only when managed by Cisco FND |
C819HG+7-K9 |
Only when managed by Cisco FND |
C819HWD-A-K9 |
Only when managed by Cisco FND |
C819HGW+7-A-A-K9 |
Only when managed by Cisco FND |
C819H-K9 |
Only when managed by Cisco FND |
C819HG-U-K9 |
Only when managed by Cisco FND |
C819HGW+7-E-K9 |
Only when managed by Cisco FND |
C819HGW-V-A-K9 |
Only when managed by Cisco FND |
C819HGW-S-A-K9 |
Only when managed by Cisco FND |
C819HG-4G-G-K9 |
Only when managed by Cisco FND |
C819HG-4G-A-K9 |
Only when managed by Cisco FND |
C819HG-4G-V-K9 |
Only when managed by Cisco FND |
C819HWD-C-K9 |
Only when managed by Cisco FND |
C819HG-LTE-MNA-K9 |
Only when managed by Cisco FND |
C819G-LTE-LA-K9 |
Only when managed by Cisco FND |
C819GW-LTE-MNA-AK9 |
Only when managed by Cisco FND |
IR829GW-LTE-LA-QK9 |
Only when managed by Cisco FND |
IR829GW-LTE-LA-SK9 |
Only when managed by Cisco FND |
IR829GW-LTE-LA-TK9 |
Only when managed by Cisco FND |
IR829GW-LTE-LA-ZK9 |
Only when managed by Cisco FND |
IR829GW-LTE-NA-AK9 |
Only when managed by Cisco FND |
IR829GW-LTE-VZ-AK9 |
Only when managed by Cisco FND |
IR829M-2LTE-EA-AK9 |
Only when managed by Cisco FND |
IR829M-2LTE-EA-BK9 |
Only when managed by Cisco FND |
IR829M-2LTE-EA-EK9 |
Only when managed by Cisco FND |
IR829M-2LTE-EA-RK9 |
Only when managed by Cisco FND |
IR829M-LTE-EA-AK9 |
Only when managed by Cisco FND |
IR829M-LTE-EA-BK9 |
Only when managed by Cisco FND |
IR829M-LTE-EA-EK9 |
Only when managed by Cisco FND |
IR829M-LTE-EA-RK9 |
Only when managed by Cisco FND |
IR829M-LTE-LA-ZK9 |
Only when managed by Cisco FND |
IR829M-TMU2-PROMO |
Only when managed by Cisco FND |
Defect Information
| Defect ID | Headline |
|---|---|
| CSCvt60802 | Implement Cisco FAN Feature Requirement |
Problem Description
Cisco Secure Unique Device Identifier (SUDI) certificate on a limited number of Internet of Things (IoT) products (see the Products Affected section) will expire either on [Date of Manufacture + 10 Years] OR 2029-05-14, whichever is earlier.
During the initial Simple Certificate Enrollment Protocol (SCEP) process, the Cisco SUDI certificate is used for authentication with the Registration Authority (RA) to acquire the Local Device Identifier (LDevID) certificate from the customer's Public Key Infrastructure (PKI). Once the LDevID is enrolled, it is used for communicating with Cisco’s Field Network Director (FND) and the Cisco SUDI certificate is no longer required unless one of these actions occurs:
- Factory reset
- Return Material Authorization (RMA)
- Router configuration is rolled back to express-setup-config
A previously enrolled device will see no impact for an expired Cisco SUDI certificate since the LDevID is used for ongoing communications. LDevID certificates have limited lifetimes and can be renewed or re-acquired using Cisco SUDI as credentials. Cisco's recommendation is to implement the workaround in this field notice. Furthermore, the LDevID certificates will be made renewable using the LDevID trustpoint as credentials in future version of RA software, along with FND enhancements, details of which will be highlighted in future announcements.
However, if a device with an expired Cisco SUDI certificate that has not been previously enrolled or a previously enrolled device that is reinitialized is added to a system using FND, authentication during SCEP enrollment will fail unless the workaround is implemented.
Note: The suggested workarounds will no longer work once the Cisco SUDI Certificate Authority (CA) certificate expires on 2029-05-14. Cisco will continue to evaluate options to extend the workaround beyond 2029-05-14 and will provide an updated notice.
Background
Cisco’s IoT products (see the Products Affected section) provisioned with a Cisco SUDI certificate for network authentication will have their certificate expire on [The Date of Manufacture + 10 Years] OR 2029-05-14, whichever is earlier.
In order to determine the certification expiration dates, enter this command:
router>show crypto pki certificates CISCO_IDEVID_SUDI
The scenarios under which an expired Cisco SUDI certificate will have an impact are described in this section.
Scenario 1. Customer Uses the Cisco SUDI Certificate to Acquire an LDevID Certificate
If a customer uses the Cisco SUDI certificate as the credentials to acquire an LDevID certificate and the Cisco SUDI certificate expires, the SCEP operation will fail. Without a valid LDevID certificate, the router will fail to communicate with FND and establish a tunnel to the Head End Router (HER).
Scenario 2. Customer Uses the Cisco SUDI Certificate to Communicate with FND
If a router uses the Cisco SUDI certificate to establish communication with FND and the Cisco SUDI certificate expires, the router will no longer be able to communicate with FND.
Note: If a customer uses their own PKI and an LDevID, this scenario does NOT apply.
Problem Symptom
An example of a SCEP authentication request from a device whose Cisco SUDI certificate has already expired is shown here:
Jan 2 02:00:00.461: CRYPTO_PKI: (A0121) No suitable trustpoints found
Jan 2 02:00:00.461: CRYPTO_PKI_SCEP: CS Sending CertRep Response - PENDING(6B68FAD5E3CC2182FBE2C2A344D38BB5)
Jan 2 02:00:08.100: CRYPTO_PKI_SCEP: CS received PKIOperation request
Jan 2 02:00:08.111: CRYPTO_PKI_SCEP: Received message is GetCertInitial
Jan 2 02:00:08.112: CRYPTO_PKI: (A0122) Adding peer certificate
Jan 2 02:00:08.112: CRYPTO_PKI: ip-ext-val: IP extension validation not required
Jan 2 02:00:08.113: CRYPTO_PKI: (A0122) Check for identical certs
Jan 2 02:00:08.113: CRYPTO_PKI : (A0122) Validating non-trusted cert
Jan 2 02:00:08.113: CRYPTO_PKI: (A0122) Create a list of suitable trustpoints
Jan 2 02:00:08.113: CRYPTO_PKI: (A0122) Suitable trustpoints are: IOS-CS-CGR1000_ACT2_SUDI_CA249,
Jan 2 02:00:08.113: CRYPTO_PKI: (A0122) Attempting to validate certificate using IOS-CS-CGR1000_ACT2_SUDI_CA249 policy%CRYPTO_PKI: Cert not yet valid or is expired -
start date: 10:56:57 PDT Jun 30 2011
end date: 13:25:42 PDT May 14 2029
Jan 2 02:00:08.115: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 3C45) has expired. Validity period ended on 2022-04-14T08:04:07Z
Jan 2 02:00:08.116: CRYPTO_PKI: (A0122) Certificate validation failed
Workaround/Solution
The workaround is to accept the expired Cisco SUDI certificate, dependent on the scenarios described in this section.
Note: Cisco’s SUDI certificate is based on IEEE 802.1AR for devices that have an Initial Device Identifier (IDevID) and is equivalent to IEEE 802.1AR IDevID. According to the IEEE 802.1AR guidelines, devices authenticated with IEEE 802.1AR IDevID (such as a Cisco SUDI certificate) must accept this value for an infinite lifetime. Therefore, allowing acceptance of an expired Cisco SUDI certificate is considered the same as accepting an IEEE 802.1AR IDevID indefinitely.
As a result, the workaround for devices with an expired Cisco SUDI certificate is to accept the expired certificates, which in effect gives them an extended lifetime. The two ways to achieve this are described in these scenarios.
Scenario 1. Configure the RA to Accept an Expired Cisco SUDI Certificate as SCEP Credentials
Apply this configuration to the RA:
crypto pki certificate map ACT2 1 issuer-name co cn =act2 crypto pki trustpoint ACT2_SUDI_CA match certificate ACT2 allow expired-certificate
Scenario 2. Use the Cisco SUDI Certificate for Direct Communication with FND
The workaround is to upgrade to Cisco FND 4.8 as it is planned to support the expired Cisco SUDI certificate when used to secure connection with FND.
Notes:
- Cisco FND 4.8 will handle the auto-renewal of the LDevID certificate and the details will be described in the user guide. The feature is planned, but uncommitted as of the initial release of this field notice.
- If a customer uses their own PKI and an LDevID, this scenario does NOT apply.
- The suggested workarounds will no longer work once the Cisco SUDI CA certificate expires on 2029-05-14. Cisco will continue to evaluate options to extend the workaround beyond 2029-05-14 and will provide an updated notice at a future date.
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)
This Document Applies to These Products
Unleash the Power of TAC's Virtual Assistance