Field Notice: FN - 72353 - CBW14x/24x: QuoVadis root CA 2 Decommission on CBW APs May Affect ASD Image Update Functions. - Software Upgrade Recommended

Available Languages

Updated:March 1, 2022

Document ID:FN72353

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	01-Mar-22	Initial Release

Products Affected

Affected Product ID	Comments
CBW140AC-A
CBW140AC-A-CA
CBW140AC-B
CBW140AC-D
CBW140AC-E
CBW140AC-EMULTI
CBW140AC-F
CBW140AC-G
CBW140AC-H
CBW140AC-K
CBW140AC-Q
CBW140AC-R
CBW140AC-S
CBW140AC-T
CBW140AC-Z
CBW240AC-A
CBW240AC-A-CA
CBW240AC-B
CBW240AC-D
CBW240AC-E
CBW240AC-F
CBW240AC-G
CBW240AC-H
CBW240AC-I
CBW240AC-K
CBW240AC-Q
CBW240AC-R
CBW240AC-S
CBW240AC-T
CBW240AC-Z
CBW145AC-A
CBW145AC-A-CA
CBW145AC-B
CBW145AC-D
CBW145AC-E
CBW145AC-F
CBW145AC-G
CBW145AC-H
CBW145AC-I
CBW145AC-R
CBW145AC-S
CBW145AC-T
CBW145AC-Z
CBW145AC-Q
CBW145AC-K
CBW141ACM-A-AR
CBW141ACM-A-CA
CBW141ACM-A-NA
CBW141ACM-B-NA
CBW141ACM-D-IN
CBW141ACM-E-EU
CBW141ACM-E-UK
CBW141ACM-E-IN
CBW141ACM-F-EU
CBW141ACM-G-EU
CBW141ACM-I-EU
CBW141ACM-K-KR
CBW141ACM-K-UK
CBW141ACM-R-EU
CBW141ACM-S-UK
CBW141ACM-S-EU
CBW141ACM-Z-AU
CBW141ACM-Z-BR
CBW142ACM-A-NA
CBW142ACM-B-NA
CBW142ACM-E-EU
CBW142ACM-E-UK
CBW142ACM-F-EU
CBW142ACM-I-EU
CBW142ACM-K-UK
CBW142ACM-R-EU
CBW142ACM-S-UK
CBW142ACM-S-EU
CBW142ACM-Z-AU
CBW142ACM-D-IN
CBW142ACM-A-CA
CBW143ACM-A-NA
CBW143ACM-B-NA
CBW143ACM-D-IN
CBW143ACM-E-EU
CBW143ACM-E-UK
CBW143ACM-F-EU
CBW143ACM-I-EU
CBW143ACM-K-UK
CBW143ACM-R-EU
CBW143ACM-S-UK
CBW143ACM-S-EU
CBW143ACM-Z-AU
CBW143ACM-A-CA

Defect Information

Defect ID	Headline
CSCwa55717	QuoVadis root CA decommission on CBW APs

Problem Description

For affected versions of the CBW AP software, some Secure Sockets Layer (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before March 31, 2021 cannot be renewed from this CA. Once those certificates expire on devices or are removed from the Cisco cloud servers, functions such as Automated Software Distribution (ASD) image update will fail to establish secure connections to Cisco and might not operate properly.

The CBW APs include versions of the following:

CBW140AC
CBW240AC
CBW145AC
CBW141ACM
CBW142ACM
CBW143ACM

Background

The QuoVadis Root CA 2 Public Key Infrastructure (PKI) used by CBW AP software to issue SSL certificates is subject to an industry-wide issue that affects revocation abilities. Due to this issue, no new QuoVadis Root CA 2 certificates will be issued or renewed by Cisco after March 31, 2021. This affects certificate renewals on devices, Cisco cloud servers, and third-party services.

Certificates issued before the QuoVadis Root CA 2 was decommissioned will continue to be valid. However, the certificates will not renew when they expire on either the device or the Cisco cloud server. This will cause functions such as ASD image upgrade to fail to establish secure connections to Cisco cloud servers. The CBW AP QuoVadis Cert expires 24 November 2031.

Problem Symptom

Expiration of the QuoVadis Root CA 2 certificates affects these services with the associated symptoms.

Affected Services	Symptoms for Affected Services
ASD image download and status	Failure to upgrade image.

For CBW AP devices, affected devices will be unable to connect to the ASD image upgrade services hosted by Cisco. The services involved in the ASD image download are Auth token generation, image version details, download URL of the image, and download percentage.

Workaround/Solution

Cisco has migrated from the QuoVadis Root CA 2 to the IdenTrust Commercial Root CA 1 for SSL certificates. Cisco recommends an upgrade to add the new IdenTrust Commercial Root CA 1 certificate to the CBW AP.

For CBW AP devices, upgrade to firmware version 10.7.1.0 or later.

For More Information

Cisco has created a web page to provide customers and partners with additional information on this issue. Consult the QuoVadis Root CA 2 Decommission page for a full list of products affected, associated Field Notices, and frequently asked questions.

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

This Document Applies to These Products

Business 240AC Access Point