THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
|Affected OS Type
||Affected Release Number
1.3, 1.0, 1.1, 1.2, 1.4
2.3.0, 2.0.1, 2.0, 2.2.0, 2.1.0
||Adding Hydrant certificate chain to ISE default trust certificate store|
Cisco Identity Services Engine (ISE) Posture and Bring Your Own Device (BYOD) package updates will fail if the ISE trust store is not updated with the new HydrantID root certificates.
ISE connects to Cisco.com via SSL in order to obtain binary and data updates for Posture and BYOD. On February 14th, 2018, Cisco will renew the certificate for that SSL connection. The new certificate has a root certificate signed by QuoVadis.
Only ISE deployments with Posture or BYOD updates enabled are affected by this change. After Cisco replaces the certificate on the update servers, Posture and BYOD updates will no longer function for systems that have not updated to the new HydrantID root certificates.
Error messages will be displayed when the system has not been updated to new root certificates. Examples of these messages are shown here:
In order to resolve this issue, complete these steps to install the new root certificate chain provided at Cisco.com and trust it for authentication of Cisco Services:
- Choose Administration > System > Certificates > Trusted Certificates and click Import.
- Browse and choose QuoVadisRootCA2.crt. Check the Trust for authentication of Cisco Services check box and click Submit.
- Click Yes in order to accept the SHA-1 warning.
- Repeat steps 1 to 3 in order to import the HydrantIDSSLICAG2.crt certificate.
Service is restored. To verify, choose Updates from the Posture option under Administration > System > Settings. In the Posture Updates section, click Update Now. A successful message will display similar to the one in this screenshot:
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.