Guest

Preview Tool

Cisco Bug: CSCuq74176 - PKI IOS removed valid CA certificate before expiry date

Last Modified

Oct 14, 2019

Products (80)

  • Cisco IOS
  • Cisco C892FSP Integrated Services Router
  • Cisco 2951 Integrated Services Router
  • Cisco VG204XM Analog Voice Gateway
  • Cisco 881SRSTW Integrated Services Router
  • Cisco 886VA-CUBE Integrated Services Router
  • Cisco 819 Hardened Integrated Services Router
  • Cisco C897VA Integrated Services Router
  • Cisco 812 CiFi Integrated Services Router
  • Cisco 892W Integrated Services Router
View all products in Bug Search Tool Login Required

Known Affected Releases

15.1(4)M8 15.3(3)M3

Description (partial)

Symptom:
While using PKI valid CA certificate might be prematurely removed.

Conditions:
It is happening when router certificate is not valid or is expiring.
When CA is going to expire then we do:

GET_NEW_CA_CERT

Even if "auto-enroll" option is not set at the same time we do:

GET_NEW_ROUTER_CERT

Then we remove old but valid CA certificate and replace with new one (not valid yet).

PKI: Rolling over CA cert for CA
CRYPTO_PKI: Rollover - Expired router certificate(s) deleted from database
PKI:get_cert CA 0x100004 (expired=0) FAILED
CRYPTO_PKI: Rollover - New router certificate(s) available for use

We install CA and router certificates which are not valid yet.


I observed two conditions (all in manual enrollment) :
+ while we don't have valid router certificate we would replace the old CA certificate immediately after receiving new CA certificate
+ if we have valid router certificate we will replace it immediately when router certificate expires but old CA would still be valid.
+ if we have "auto-enroll" we have valid router certificate all the time and issue is not happening.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.