Guest

Preview Tool

Cisco Bug: CSCsc45595 - PKI: import fails due to very long validity period beyond 2038

Last Modified

Apr 28, 2019

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

7.0.4

Description (partial)

Symptom:

Importing a certificate fails with the following error:

---------------------------------------------------
pix(config)# cry ca authenticate delme
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIEmDCCA4CgAwIBAgIQS7QQh2bukoZOOgeLt4Eo1TANBgkqhkiG9w0BAQUFADBM
...
zMVeGbHJ1CueXy0CU/v91QJjR8UJjHIV0mIx3A==
-----END CERTIFICATE-----

INFO: Certificate has the following attributes:
Fingerprint: be111943 83b80ac7 76c889fd 7a3b1173
Do you accept this certificate? [yes/no]: yes
% Error in saving certificate: status = FAIL
---------------------------------------------------

Executing the command with "debug crypto ca 255" will show
the following additional messages:

CRYPTO_PKI: can not set ca cert object (0x703)
RYPTO_PKI: status = 65535: failed to process RA certificate

Conditions:

This problem is caused by a certificate expiration date
beyond the year 2038.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.