Field Notice: FN - 72116 - cBR8: QuoVadis Root CA 2 Decommission Might Affect Smart Licensing and Smart Call Home Functionality - Software Upgrade Recommended

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.3	23-Feb-22	Updated the Problem Description, Background, Problem Symptom, and Workaround/Solution Sections
1.2	02-Jun-21	Updated the Problem Description Section
1.1	29-Apr-21	Updated the Products Affected Section
1.0	12-Apr-21	Initial Release

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number	Comments
NON-IOS	IOSXE	3	3.15.0S, 3.15.1S, 3.16.0S, 3.16.1S, 3.17.0S, 3.17.1S, 3.18.0aS, 3.18.0S, 3.18.0SP, 3.18.1aSP, 3.18.1S, 3.18.1SP, 3.18.2aSP	cBR-8 Cisco IOS XE Software Releases 17.3.1z or 17.6.1a or later have the fix. All previous releases need to use the suggested workaround to address the issue.
NON-IOS	IOSXE	16	16.1.1, 16.10.1, 16.10.1c, 16.10.1d, 16.10.1f, 16.10.1g, 16.12.1, 16.12.1w, 16.12.1x, 16.12.1y, 16.12.1z, 16.12.1z1, 16.4.1, 16.4.2, 16.5.1, 16.6.1, 16.6.2, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1d, 16.8.1e, 16.9.1, 16.9.1a	cBR-8 Cisco IOS XE Software Releases 17.3.1z or 17.6.1a or later have the fix. All previous releases need to use the suggested workaround to address the issue.
NON-IOS	IOSXE	17	17.2.1, 17.3.1, 17.3.1w, 17.3.1x	cBR-8 Cisco IOS XE Software Releases 17.3.1z or 17.6.1a or later have the fix. All previous releases need to use the suggested workaround to address the issue.

Defect Information

Defect ID	Headline
CSCwa97806	Quovadis Root CA Decommission on cBR-8

Problem Description

For affected versions of the Converged Broadband Router-8 (cBR-8) software, some Secure Sockets Layer (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before March 31, 2021 cannot be renewed from this CA. Once those certificates expire on devices or are removed from the Cisco cloud servers, functions such as Smart Licensing and Smart Call Home will fail to establish secure connections to Cisco and might not operate properly.

Background

The QuoVadis Root CA 2 Public Key Infrastructure (PKI) used by cBR-8 software to issue SSL certificates is subject to an industry-wide issue that affects revocation abilities. Due to this issue, no new QuoVadis Root CA 2 certificates will be issued or renewed by Cisco after March 31, 2021. This affects certificate renewals on devices, Cisco cloud servers, and third-party services.

Certificates issued before the QuoVadis Root CA 2 was decommissioned will continue to be valid. However, the certificates will not renew when they expire on either the device or the Cisco cloud server. This will cause functions such as Smart Licensing and Smart Call Home to fail to establish secure connections to Cisco cloud servers.

This table shows a summary of the QuoVadis Root CA 2 certificate expiration dates for affected Cisco services.

Cisco Cloud Server	QuoVadis Certificate Expiration Date	Affected Services
tools.cisco.com	February 5, 2022	Smart Licensing Smart Call Home
smartreceiver.cisco.com	January 26, 2023	Smart Licensing

 

Note: Use this CLI command in order to determine if the new trust (IdenTrust) exists in the system. If the new trust is in the system, no further action is needed. See this example where both IdenTrust and QuoVadis are present:

#show crypto pki trustpool

CA Certificate

  Status: Available

  Certificate Serial Number (hex): 0A0142800000014523C844B500000002

  Certificate Usage: Signature

  Issuer:

    cn=IdenTrust Commercial Root CA 1      <-- Example of SW release having IdenTrust certificate                
                                               as well as QuoVadis present

    o=IdenTrust

    c=US

  Subject:

    cn=IdenTrust Commercial Root CA 1

    o=IdenTrust

    c=US

  Validity Date:

    start date: 14:12:23 EDT Jan 16 2014

    end   date: 14:12:23 EDT Jan 16 2034

  Associated Trustpoints: Trustpool

  Trustpool: Built-In

CA Certificate

  Status: Available

  Certificate Serial Number (hex): 0509

  Certificate Usage: Signature

  Issuer:

    cn=QuoVadis Root CA 2                 

    o=QuoVadis Limited

    c=BM

  Subject:

    cn=QuoVadis Root CA 2

    o=QuoVadis Limited

    c=BM

  Validity Date:

    start date: 14:27:00 EDT Nov 24 2006

    end   date: 14:23:33 EDT Nov 24 2031

  Associated Trustpoints: Trustpool

  Trustpool: Built-In

Problem Symptom

Expiration of the QuoVadis Root CA 2 certificates affects these services with the associated symptoms.

Affected Services	Symptoms for Affected Services
Smart Licensing	Failure to connect to the server (Details are provided in this section)
Smart Call Home	Failure to connect to the server and the Call-Home HTTP request fails

 

For cBR-8 devices, affected devices will be unable to connect to the Smart Licensing and Smart Call Home services hosted by Cisco. Smart licenses might fail entitlement and reflect an Out of Compliance status.

After 90 days without a Smart Licensing server connection, the cBR-8 does not allow any configuration changes. However, pre-existing licenses will still function. Some Smart Licensing symptoms are:

• The device might indicate a failure to communicate with the Smart Licensing server within 30 days from the last successful connection.
• The device will show the "Authorization Expired" state if there is no communication with the Smart Licensing server within 90 days.
• The device will show the "Unregistered" state if there is no communication with the Smart Licensing server after one year and the licensed features usage become suspended.

Note: Offline licensing, such as Permanent License Reservation (PLR) and Specific License Reservation (SLR), is not affected by the certificate change on the Smart Licensing server.

For additional information, refer to the Cisco Smart Licensing Guide.

Note: The absence of the IdentTrust certificate is the problem, not the presence of the QuoVadis certificate. We expect QuoVadis certificates to be present during the transition period.

In this example, cBR-8 software lacks the expected IdenTrust Certificate:

#show crypto pki trustpool

CA Certificate

  Status: Available

  Certificate Serial Number (hex): 0509

  Certificate Usage: Signature

  Issuer:

cn=QuoVadis Root CA 2                     <-- Example of SW release lacking IdenTrust certificate

    o=QuoVadis Limited

    c=BM

  Subject:

    cn=QuoVadis Root CA 2

    o=QuoVadis Limited

    c=BM

  Validity Date:

    start date: 13:27:00 EST Nov 24 2006

    end   date: 13:23:33 EST Nov 24 2031

  Associated Trustpoints: Trustpool

  Trustpool: Built-In



CA Certificate

  Status: Available

  Certificate Serial Number (hex): 18DAD19E267DE8BB4A2158CDCC6B3B4A

  Certificate Usage: Signature

  Issuer:

    cn=VeriSign Class 3 Public Primary Certification Authority - G5

    ou=(c) 2006 VeriSign

     Inc. - For authorized use only

    ou=VeriSign Trust Network

    o=VeriSign

Workaround/Solution

Cisco has migrated from the QuoVadis Root CA 2 to the IdenTrust Commercial Root CA 1 for SSL certificates. Cisco recommends these two options to add the new IdenTrust Commercial Root CA 1 certificate to the cBR-8.

• Software Upgrade
• Manual Certificate Update

Cisco recommends the manual certificate update as it is a quicker approach to address the issue.

 

Software Upgrade

For cBR-8 devices, upgrade to one of the software versions shown in this list in order to resolve the root CA certificate issue for affected platforms.

• cBR-8 Cisco IOS^® XE Software Release 17.3.1z
• cBR-8 Cisco IOS XE Software Release 17.6.1a or later

The software download links are:

• cBR-8 Converged Broadband Router Cisco IOS XE Release 17.3.1z - Amsterdam
• cBR-8 Converged Broadband Router Cisco IOS XE Release 17.6.1a - Bengaluru

 

Manual Certificate Update via Terminal

-----BEGIN CERTIFICATE-----
MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK
MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVu
VHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQw
MTE2MTgxMjIzWjBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScw
JQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT
3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYofWjK9ouuU
+ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gp
S0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1
bVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORi
T0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCL
vYf5jysjCiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjK
Vsk9+w8YfYs7wRPCTY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZK
dHzVWYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHT
c+XvvqDtMwt0viAgxGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hv
l7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6aMN7/zHwcz09lCqxC0EOoP5N
iGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcNAQELBQAD
ggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH
6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwt
LRvM7Kqas6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93
nAbowacYXVKV7cndJZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3
+wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRK
W2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pT
AwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU47/rokTLq
l1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG
4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZ
mUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A
7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6H
-----END CERTIFICATE-----

Procedure:

1. Use a simple text editor such as Notepad and copy the certificate (without the BEGIN CERTIFICATE and END CERTIFICATE lines).
2. In order to enter the cBR-8 configuration mode, enter the config t command.
3. Enter the crypto pki trustpool import terminal command.
4. Paste the copied PEM-formatted CA certificate and press Return two times.
   The system should respond with "PEM files import succeeded".
5. Enter exit.
6. In order to write to memory, enter wr mem.
7. Enter show crypto pki trustpool.
   The output should now contain the IdenTrust certificate.

See this example:

cBR8#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

cBR8(config)#crypto pki trustpool import terminal

% Enter PEM-formatted CA certificate.

% End with a blank line or "quit" on a line by itself.

MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK
MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVu
VHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQw
MTE2MTgxMjIzWjBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScw
JQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT
3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYofWjK9ouuU
+ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gp
S0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1
bVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORi
T0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCL
vYf5jysjCiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjK
Vsk9+w8YfYs7wRPCTY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZK
dHzVWYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHT
c+XvvqDtMwt0viAgxGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hv
l7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6aMN7/zHwcz09lCqxC0EOoP5N
iGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcNAQELBQAD
ggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH
6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwt
LRvM7Kqas6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93
nAbowacYXVKV7cndJZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3
+wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRK
W2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pT
AwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU47/rokTLq
l1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG
4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZ
mUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A
7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6H

% PEM files import succeeded.
cBR8(config)#exit

cBR8#wr mem

Destination filename [startup-config]?

Building configuration...

[OK]

cBR8#show crypto pki trustpool
Load for five secs: 30%/2%; one minute: 25%; five minutes: 27%
Time source is NTP, 23:40:09.537 CST Sat Mar 6 2021
CA Certificate
  Status: Available
  Certificate Serial Number (hex): 0A0142800000014523C844B500000002
  Certificate Usage: Signature
  Issuer: 
    cn=IdenTrust Commercial Root CA 1
    o=IdenTrust
    c=US
  Subject: 
    cn=IdenTrust Commercial Root CA 1
    o=IdenTrust
    c=US
  Validity Date: 
    start date: 02:12:23 CST Jan 17 2014
    end   date: 02:12:23 CST Jan 17 2034
  Associated Trustpoints: Trustpool 
  Trustpool: Downloaded

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 0509
  Certificate Usage: Signature
  Issuer: 
    cn=QuoVadis Root CA 2
    o=QuoVadis Limited
    c=BM
  Subject: 
    cn=QuoVadis Root CA 2
    o=QuoVadis Limited
    c=BM
  Validity Date: 
    start date: 02:27:00 CST Nov 25 2006
    end   date: 02:23:33 CST Nov 25 2031
  Associated Trustpoints: Trustpool 
  Trustpool: Built-In

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 18DAD19E267DE8BB4A2158CDCC6B3B4A
  Certificate Usage: Signature
  Issuer: 
    cn=VeriSign Class 3 Public Primary Certification Authority - G5
    ou=(c) 2006 VeriSign
     Inc. - For authorized use only
    ou=VeriSign Trust Network
    o=VeriSign
     Inc.
    c=US
  Subject: 
    cn=VeriSign Class 3 Public Primary Certification Authority - G5
    ou=(c) 2006 VeriSign
     Inc. - For authorized use only
    ou=VeriSign Trust Network
    o=VeriSign
     Inc.
    c=US
  Validity Date: 
    start date: 08:00:00 CST Nov 8 2006
    end   date: 07:59:59 CST Jul 17 2036
  Associated Trustpoints: Trustpool 
  Trustpool: Built-In

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer: 
    cn=Cisco RXC-R2
    o=Cisco Systems
    c=US
  Subject: 
    cn=Cisco RXC-R2
    o=Cisco Systems
    c=US
  Validity Date: 
    start date: 06:46:56 PDT Jul 10 2014
    end   date: 06:46:56 PDT Jul 10 2034
  Associated Trustpoints: RXC_Trustpool 
  Trustpool: Built-In

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 61096E7D00000000000C
  Certificate Usage: Signature
  Issuer: 
    cn=Cisco Root CA 2048
    o=Cisco Systems
  Subject: 
    cn=ACT2 SUDI CA
    o=Cisco
  CRL Distribution Points: 
    http://www.cisco.com/security/pki/crl/crca2048.crl
  Validity Date: 
    start date: 02:56:57 PDT Jul 1 2011
    end   date: 05:25:42 PDT May 15 2029
  Associated Trustpoints: CISCO_IDEVID_SUDI Trustpool 
  Trustpool: Built-In

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer:
    cn=Licensing Root - DEV
    o=Cisco
  Subject: 
    cn=Licensing Root - DEV
    o=Cisco
  Validity Date: 
    start date: 06:55:43 PDT Apr 25 2013
    end   date: 06:55:43 PDT Apr 25 2033
  Associated Trustpoints: Trustpool 
  Trustpool: Built-In

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 02
  Certificate Usage: Signature
  Issuer: 
    cn=Cisco Root CA M2
    o=Cisco
  Subject: 
    cn=Cisco Manufacturing CA SHA2
    o=Cisco
  CRL Distribution Points: 
    http://www.cisco.com/security/pki/crl/crcam2.crl
  Validity Date: 
    start date: 21:50:58 CST Nov 12 2012
    end   date: 21:00:17 CST Nov 12 2037
  Associated Trustpoints: Trustpool 
  Trustpool: Built-In

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer: 
    cn=Cisco Root CA M2
    o=Cisco
  Subject: 
    cn=Cisco Root CA M2
    o=Cisco
  Validity Date: 
    start date: 21:00:18 CST Nov 12 2012
    end   date: 21:00:18 CST Nov 12 2037
  Associated Trustpoints: Trustpool 
  Trustpool: Built-In

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 6A6967B3000000000003
  Certificate Usage: Signature
  Issuer:
    cn=Cisco Root CA 2048
    o=Cisco Systems
  Subject: 
    cn=Cisco Manufacturing CA
    o=Cisco Systems
  CRL Distribution Points: 
    http://www.cisco.com/security/pki/crl/crca2048.crl
  Validity Date: 
    start date: 07:16:01 PDT Jun 11 2005
    end   date: 05:25:42 PDT May 15 2029
  Associated Trustpoints: Trustpool 
  Trustpool: Built-In

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 5FF87B282B54DC8D42A315B568C9ADFF
  Certificate Usage: Signature
  Issuer: 
    cn=Cisco Root CA 2048
    o=Cisco Systems
  Subject: 
    cn=Cisco Root CA 2048
    o=Cisco Systems
  Validity Date: 
    start date: 05:17:12 PDT May 15 2004
    end   date: 05:25:42 PDT May 15 2029
  Associated Trustpoints: CISCO_IDEVID_SUDI0 Trustpool 
  Trustpool: Built-In

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 2ED20E7347D333834B4FDD0DD7B6967E
  Certificate Usage: Signature
  Issuer: 
    cn=Cisco Root CA M1
    o=Cisco
  Subject: 
    cn=Cisco Root CA M1
    o=Cisco
  Validity Date: 
    start date: 05:50:24 CST Nov 19 2008
    end   date: 05:59:46 CST Nov 19 2033
  Associated Trustpoints: Trustpool 
  Trustpool: Built-In

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer: 
    cn=Cisco Licensing Root CA
    o=Cisco
  Subject: 
    cn=Cisco Licensing Root CA
    o=Cisco
  Validity Date: 
    start date: 04:48:47 PDT May 31 2013
    end   date: 03:48:47 CST May 31 2038
  Associated Trustpoints: Trustpool SLA-TrustPoint 
  Storage: nvram:CiscoLicensi#1CA.cer
  Trustpool: Built-In

How To Identify Affected Products

The hardware information can be identified as indicated in these examples.

Example A. CLI

Example B. Manually Check the Unit

For More Information

Cisco has created a web page to provide customers and partners with additional information on this issue. Consult the QuoVadis Root CA 2 Decommission page for a full list of products affected, associated Field Notices, and frequently asked questions.

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

• Open a service request on Cisco.com
• By email or telephone

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.