Field Notice: FN - 72103 - ASA, FXOS and Firepower Software: QuoVadis Root CA 2 Decommission Might Affect Smart Licensing, Smart Call Home, And Other Functionality - Software Upgrade Recommended

Available Languages

Updated:March 24, 2022
Document ID:FN72103

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision Publish Date Comments
2.0
24-Mar-22
Updated the Background Section
1.3
09-Mar-22
Updated the Background, Products Affected, and Workaround/Solution Sections and Added the Additional Information Section
1.2
18-Feb-22
Updated the Products Affected, Problem Description, and Workaround/Solution Sections
1.1
03-Feb-22
Updated the Products Affected and Defect Information Sections
1.0
20-Dec-21
Initial Release

Products Affected

Affected OS Type Affected Software Product Affected Release Affected Release Number Comments
NON-IOS
Adaptive Security Appliance (ASA) Software
9
9.12.2, 9.12.3, 9.12.4, 9.14.1, 9.14.2, 9.15.1, 9.8.2, 9.8.4
NON-IOS
Adaptive Security Appliance (ASA) Software
Interim
9.1.7 Interim, 9.10.1 Interim, 9.12.1 Interim, 9.12.4 Interim, 9.13.1 Interim, 9.15.1 Interim, 9.2.4 Interim, 9.4.4 Interim, 9.6.4 Interim, 9.8.4 Interim, 9.9.2 Interim
NON-IOS
Firepower Threat Defense (FTD) Software
6.1
6.1.0, 6.1.0.1, 6.1.0.2, 6.1.0.3, 6.1.0.4, 6.1.0.5, 6.1.0.6, 6.1.0.7
NON-IOS
Firepower Threat Defense (FTD) Software
6.2
6.2.0, 6.2.0.1, 6.2.0.2, 6.2.0.3, 6.2.0.4, 6.2.0.5, 6.2.0.6, 6.2.2, 6.2.2.1, 6.2.2.2, 6.2.2.3, 6.2.2.4, 6.2.2.5, 6.2.3, 6.2.3.1, 6.2.3.10, 6.2.3.11, 6.2.3.12, 6.2.3.13, 6.2.3.14, 6.2.3.15, 6.2.3.16, 6.2.3.17, 6.2.3.2, 6.2.3.3, 6.2.3.4, 6.2.3.5, 6.2.3.6, 6.2.3.7, 6.2.3.9
NON-IOS
Firepower Threat Defense (FTD) Software
6.3
6.3.0, 6.3.0.1, 6.3.0.2, 6.3.0.3, 6.3.0.4, 6.3.0.5
NON-IOS
Firepower Threat Defense (FTD) Software
6.4
6.4.0, 6.4.0.1, 6.4.0.10, 6.4.0.11, 6.4.0.12, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, 6.4.0.8, 6.4.0.9
NON-IOS
Firepower Threat Defense (FTD) Software
6.5
6.5.0, 6.5.0.2, 6.5.0.4, 6.5.0.5
NON-IOS
Firepower Threat Defense (FTD) Software
6.6
6.6.0, 6.6.0.1, 6.6.1, 6.6.3, 6.6.4
NON-IOS
Firepower Threat Defense (FTD) Software
6.7
6.7.0, 6.7.0.1, 6.7.0.2
NON-IOS
Firepower Management Center Software
6.1
6.1.0, 6.1.0.1, 6.1.0.2, 6.1.0.3, 6.1.0.4, 6.1.0.5, 6.1.0.6, 6.1.0.7
NON-IOS
Firepower Management Center Software
6.2
6.2.0, 6.2.0.1, 6.2.0.2, 6.2.0.3, 6.2.0.4, 6.2.0.5, 6.2.0.6, 6.2.2, 6.2.2.1, 6.2.2.2, 6.2.2.3, 6.2.2.4, 6.2.2.5, 6.2.3, 6.2.3.1, 6.2.3.10, 6.2.3.11, 6.2.3.12, 6.2.3.13, 6.2.3.14, 6.2.3.15, 6.2.3.16, 6.2.3.17, 6.2.3.2, 6.2.3.3, 6.2.3.4, 6.2.3.5, 6.2.3.6, 6.2.3.7, 6.2.3.9
NON-IOS
Firepower Management Center Software
6.3
6.3.0, 6.3.0.1, 6.3.0.2, 6.3.0.3, 6.3.0.4, 6.3.0.5
NON-IOS
Firepower Management Center Software
6.4
6.4.0, 6.4.0.1, 6.4.0.10, 6.4.0.11, 6.4.0.12, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.6, 6.4.0.7, 6.4.0.8, 6.4.0.9
NON-IOS
Firepower Management Center Software
6.5
6.5.0, 6.5.0.1, 6.5.0.2, 6.5.0.4, 6.5.0.5
NON-IOS
Firepower Management Center Software
6.6
6.6.0, 6.6.0.1, 6.6.1, 6.6.3, 6.6.4
NON-IOS
Firepower Management Center Software
6.7
6.7.0, 6.7.0.1, 6.7.0.2
NON-IOS
Firepower Extensible Operating System
2.0
2.0.1.135, 2.0.1.141, 2.0.1.144, 2.0.1.148, 2.0.1.149, 2.0.1.153, 2.0.1.159, 2.0.1.188, 2.0.1.201, 2.0.1.203, 2.0.1.204, 2.0.1.206, 2.0.1.37, 2.0.1.68, 2.0.1.86
NON-IOS
Firepower Extensible Operating System
2.1
2.1.1.106, 2.1.1.107, 2.1.1.113, 2.1.1.115, 2.1.1.116, 2.1.1.64, 2.1.1.73, 2.1.1.77, 2.1.1.83, 2.1.1.85, 2.1.1.86, 2.1.1.97
NON-IOS
Firepower Extensible Operating System
2.2
2.2.1.63, 2.2.1.66, 2.2.1.70, 2.2.2.101, 2.2.2.137, 2.2.2.17, 2.2.2.19, 2.2.2.24, 2.2.2.26, 2.2.2.28, 2.2.2.54, 2.2.2.60, 2.2.2.71, 2.2.2.83, 2.2.2.86, 2.2.2.91, 2.2.2.97
NON-IOS
Firepower Extensible Operating System
2.3
2.3.1.110, 2.3.1.111, 2.3.1.130, 2.3.1.144, 2.3.1.145, 2.3.1.155, 2.3.1.166, 2.3.1.173, 2.3.1.179, 2.3.1.180, 2.3.1.190, 2.3.1.215, 2.3.1.216, 2.3.1.58, 2.3.1.66, 2.3.1.73, 2.3.1.75, 2.3.1.88, 2.3.1.91, 2.3.1.93, 2.3.1.99
NON-IOS
Firepower Extensible Operating System
2.4
2.4.1.101, 2.4.1.214, 2.4.1.222, 2.4.1.234, 2.4.1.238, 2.4.1.244, 2.4.1.249, 2.4.1.252, 2.4.1.266, 2.4.1.268, 2.4.1.273
NON-IOS
Firepower Extensible Operating System
2.6
2.6.1.131, 2.6.1.157, 2.6.1.166, 2.6.1.169, 2.6.1.174, 2.6.1.187, 2.6.1.192, 2.6.1.204, 2.6.1.214, 2.6.1.224
NON-IOS
Firepower Extensible Operating System
2.7
2.7.1.106, 2.7.1.122, 2.7.1.131, 2.7.1.143, 2.7.1.92, 2.7.1.98
NON-IOS
Firepower Extensible Operating System
2.8
2.8.1.105, 2.8.1.125, 2.8.1.139, 2.8.1.143, 2.8.1.152, 2.8.1.164
NON-IOS
Firepower Extensible Operating System
2.9
2.9.1.131, 2.9.1.135
NON-IOS
Firepower Extensible Operating System
2.10
2.10.1.159, 2.10.1.166

Defect Information

Defect ID Headline
CSCvx00496 QuoVadis root CA decommission on pix-asa
CSCvx30107 Default trustpoint _SmartCallHome_ServerCA using SHA1 which is not supported
CSCvx71184 Smart call home trustpoint should have both Quovadis & IdenTrust
CSCvy80325 Include the ios pem files into the patch upgrade package for vFTD
CSCvx19563 FDM: Need to update various items to use STO Certificate Trust Bundle (QuoVadis Root CA Issue/PSIRT)
CSCvx13861 QuoVadis root CA decommission on Firepower 9300/4100 Supervisor
CSCvx00431 QuoVadis root CA decommission on sfims - update certificate files on SFOS based FMC and NGIPS units
CSCwa88571 Unable to register FMC with the Smart Portal
CSCvx28070 Update QuoVadis root CA for Smart license as it is getting decommissioned

Problem Description

For affected versions of the Adaptive Security Appliance (ASA), Firepower eXtensible Operating System (FXOS), and Firepower software, some Secure Sockets Layer (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before March 31, 2021 cannot be renewed from this CA. Once those certificates expire on devices or are removed from the Cisco cloud servers, functions such as Smart Licensing and Smart Call Home will fail to establish secure connections to Cisco and might not operate properly.

Background

The QuoVadis Root CA 2 Public Key Infrastructure (PKI) used by ASA, FXOS, and Firepower software to issue SSL certificates is subject to an industry-wide issue that affects revocation abilities. Due to this issue, no new QuoVadis Root CA 2 certificates will be issued or renewed by Cisco after March 31, 2021. This affects certificate renewals on devices, Cisco cloud servers, and third-party services.

Certificates issued before the QuoVadis Root CA 2 was decommissioned will continue to be valid. However, the certificates will not renew when they expire on either the device or the Cisco cloud server. This will cause functions such as Smart Licensing and Smart Call Home to fail to establish secure connections to Cisco cloud servers.

This table shows a summary of the QuoVadis Root CA 2 certificate expiration dates for affected Cisco services.

Cisco Cloud Server QuoVadis Certificate Expiration Date Affected Services
tools.cisco.com February 5, 2022
  • Smart Licensing using FMC
  • Smart Call Home

    Applies to ASA, FXOS, FMC, and FDM for Firepower 6.5 and earlier
smartreceiver.cisco.com January 26, 2023
  • Smart Licensing using Firepower Device Manager (FDM)

    Applies to FDM for Firepower 6.6 and later
Security Services Exchange (SSE) NAM March 22, 2023
May 5, 2022 for CSD feature only
  • SSE connectivity, messaging, and eventing for security cloud services
  • Eventing for Security Analytics and Logging (SAL) and SecureX
  • Cisco Support Diagnostics (CSD) used by the Technical Assistance Center (TAC) to upload diagnostics
  • Access to FDM using Cisco Defense Orchestrator (CDO)
  • Low Touch Provisioning (LTP)
  • Ribbon integration for SecureX
SSE EU March 22, 2023
May 5, 2022 for CSD feature only
SSE APJ March 16, 2023
May 5, 2022 for CSD feature only

 

Note: The Advanced Malware Protection (AMP) services are not affected by the QuoVadis certificate expiration.

Problem Symptom

Expiration of the QuoVadis Root CA 2 certificates affects these services with the associated symptoms.

Affected Services Symptoms for Affected Services
Smart Licensing Failure to connect to the server (Details are provided in this section)
Smart Call Home Failure to connect to the server and the Call-Home HTTP request fails

Note: Smart Call Home is the carrier for Smart Licensing and other telemetry data communication.
SSE connectivity, messaging, and eventing for security cloud services SSE connectivity, enrollment, and messaging will fail
Eventing for Security Analytics and Logging (SAL) and SecureX Events for SAL and SecureX will fail
Cisco Support Diagnostics (CSD) used by TAC to upload diagnostics Uploads to CSD will fail
Access to FDM using Cisco Defense Orchestrator (CDO) Onboarding new devices will fail, existing devices will not be able to provide status or deploy configurations
Low Touch Provisioning (LTP) Onboarding of devices in CDO will fail
Ribbon integration for SecureX Onboarding of the SecureX ribbon in FMC will fail, but the browser flow will be unaffected

 

For Firepower devices, affected devices will be unable to connect to the Smart Licensing and Smart Call Home services hosted by Cisco. Smart licenses might fail entitlement and reflect an Out of Compliance status.

The features that use Smart Licensing will continue to function for one year after the last successful secure connection. Some Smart Licensing symptoms are:

  • The device might indicate a failure to communicate with the Smart Licensing server within 30 days from the last successful connection.
  • The device will show the "Authorization Expired" state if there is no communication with the Smart Licensing server within 90 days.
  • The device will show the "Unregistered" state if there is no communication with the Smart Licensing server after one year and the licensed features usage become suspended.

Offline licensing, such as Permanent License Reservation (PLR) and Specific License Reservation (SLR), is not affected by the certificate change on the Smart Licensing server.

For additional information, refer to the Cisco Smart Licensing Guide.

 

ASA - Problem Symptoms

For ASA-based devices, enter the show license registration command in order to view the licensing status. Affected ASA security chassis will show "Communication message send response error" in the output.

ASA# show license registration
        Registration Status: Retry In Progress.
        Registration Start Time: Mar 22 13:25:46 2016 UTC
        Registration Status: Retry In Progress.
        Registration Start Time: Mar 22 13:25:46 2016 UTC
        Last Retry Start Time: Mar 22 13:26:32 2016 UTC.
        Next Scheduled Retry Time: Mar 22 13:45:31 2016 UTC.
        Number of Retries: 1.
        Last License Server response time: Mar 22 13:26:32 2016 UTC.
        Last License Server response message: Communication message send response error

 

FXOS - Problem Symptoms

For FXOS-based devices, enter the show license all command in order to view the licensing status. Affected Firepower devices will show "Failure reason: Failed to authenticate server" in the output.

Firepower # show license all

Smart Licensing Status
======================

Smart Licensing is ENABLED

Registration:

  Status: REGISTERING - REGISTRATION IN PROGRESS
  Export-Controlled Functionality: Not Allowed
  Initial Registration: FAILED on Oct 09 18:03:27 2018 UTC
    Failure reason: Failed to authenticate server
  Next Registration Attempt: Oct 09 18:18:39 2018 UTC

 

FMC - Problem Symptoms

For Firepower-based devices managed by the FMC, the management console will show this message if there is no connection to the Smart Licensing server.

 

FDM - Problem Symptoms

For Firepower-based devices managed by the FDM that have already been Smart Licensed, there might not be any observable problem symptoms. For devices not previously Smart Licensed, attempts to license the device might fail with a communication error.

Workaround/Solution

Cisco has migrated from the QuoVadis Root CA 2 to the IdenTrust Commercial Root CA 1 for SSL certificates. Cisco recommends these two options to add the new IdenTrust Commercial Root CA 1 certificate to the ASA, FXOS, and Firepower software.

  • Software Upgrade
  • Manual Certificate Update

Updated software versions that address this issue are available from the Cisco Software Download Center for your device.

Software Upgrade

For ASA-based devices, upgrade to one of the ASA software versions shown in the table in order to resolve the root CA certificate issue for affected devices.

Release Version Fixed Version
ASA 9.1.x Migrate to a fixed release
ASA 9.2.x Migrate to a fixed release
ASA 9.3.x Migrate to a fixed release
ASA 9.4.x Migrate to a fixed release
ASA 9.5.x Migrate to a fixed release
ASA 9.6.x Migrate to a fixed release
ASA 9.7.x Migrate to a fixed release
ASA 9.8.x ASA 9.8.4.39 or later
ASA 9.9.x Migrate to a fixed release
ASA 9.10.x Migrate to a fixed release
ASA 9.12.x ASA 9.12.4.24 or later
ASA 9.13.x Migrate to a fixed release
ASA 9.14.x ASA 9.14.2.14 or later
ASA 9.15.x ASA 9.15.1.15 or later

 

ASA 9.5.2.x or Later - Auto-Import Certificate Update

For ASA-based devices that run ASA software Version 9.5.2.x or later, the issue can be resolved using the auto-import feature without an upgrade to the ASA software. Enter this command in order to auto-import the IdenTrust Commercial Root CA 1 certificate.

ASA# crypto ca trustpool import url http://www.cisco.com/security/pki/trs/ios_core.p7b

 

ASA - Manual Certificate Update

For ASA-based devices that run any version of ASA software, the issue can be resolved without an upgrade to the ASA software. Enter these commands in order to manually import the IdenTrust Commercial Root CA 1 certificate.

ASA# config t
ASA(config)# crypto ca trustpoint IdenTrust
ASA(config-ca-trustpoint)# enrollment terminal
ASA(config-ca-trustpoint)# crl configure
ASA(config-ca-crl)# crypto ca authenticate IdenTrust
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK
MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVu
VHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQw
MTE2MTgxMjIzWjBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScw
JQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT
3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYofWjK9ouuU
+ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gp
S0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1
bVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORi
T0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCL
vYf5jysjCiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjK
Vsk9+w8YfYs7wRPCTY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZK
dHzVWYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHT
c+XvvqDtMwt0viAgxGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hv
l7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6aMN7/zHwcz09lCqxC0EOoP5N
iGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcNAQELBQAD
ggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH
6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwt
LRvM7Kqas6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93
nAbowacYXVKV7cndJZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3
+wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRK
W2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pT
AwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU47/rokTLq
l1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG
4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZ
mUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A
7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6H
-----END CERTIFICATE-----

quit
INFO: Certificate has the following attributes:
Fingerprint:     b33e7773 75eea0d3 e37e4963 4959bbc7
Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

% Certificate successfully imported

 

FXOS - Software Upgrade

For FXOS-based devices, upgrade to one of the FXOS software versions shown in the table in order to resolve the root CA certificate issue for affected devices.

Release Version Fixed Version
FXOS 2.0.x Migrate to a fixed release
FXOS 2.1.x Migrate to a fixed release
FXOS 2.2.x FXOS 2.2.2.148 or later
FXOS 2.3.x FXOS 2.3.1.219 or later
FXOS 2.4.x Migrate to a fixed release
FXOS 2.6.x FXOS 2.6.1.229 or later
FXOS 2.7.x Migrate to a fixed release
FXOS 2.8.x FXOS 2.8.1.172 or later
FXOS 2.9.x FXOS 2.9.1.143 or later
FXOS 2.10.x FXOS 2.10.1.179 or later

 

FXOS 2.8.x or Later - Auto-Import Certificate Update

For FXOS-based devices with Internet connectivity and that run FXOS 2.8.x or later, the issue can be resolved using the auto-import feature without an upgrade to the FXOS software. Enter these commands in order to auto-import the IdenTrust Commercial Root CA 1 certificate.

FXOS# scope security
FXOS /security #
FXOS /security # enter tp-auto-import
FXOS /security/tp-auto-import* #
FXOS  /security/tp-auto-import* # commit-buffer

/* Wait for a minute to get the auto import complete */

FXOS  /security/tp-auto-import # sh detail
Trustpoints auto import source URL: http://www.cisco.com/security/pki/trs/ios_core.p7b
TrustPoints auto import scheduled time : 22:00
Last Importing Status : Success, Imported with 15 TrustPoint(s)
TrustPoints auto Import function : Enabled
FXOS  /security/tp-auto-import #

 

FXOS - Manual Certificate Update

For FXOS-based devices that run any version of FXOS software, the issue can be resolved using the manual certificate import procedure without an upgrade to the FXOS software. Enter these commands in order to manually import the IdenTrust Commercial Root CA 1 certificate.

FXOS # scope security
FXOS /security # create trustpoint IdenTrust
FXOS /security/trustpoint* # set certchain

-----BEGIN CERTIFICATE-----
MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK
MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVu
VHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQw
MTE2MTgxMjIzWjBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScw
JQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT
3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYofWjK9ouuU
+ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gp
S0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1
bVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORi
T0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCL
vYf5jysjCiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjK
Vsk9+w8YfYs7wRPCTY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZK
dHzVWYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHT
c+XvvqDtMwt0viAgxGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hv
l7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6aMN7/zHwcz09lCqxC0EOoP5N
iGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcNAQELBQAD
ggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH
6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwt
LRvM7Kqas6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93
nAbowacYXVKV7cndJZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3
+wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRK
W2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pT
AwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU47/rokTLq
l1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG
4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZ
mUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A
7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6H
-----END CERTIFICATE-----


>ENDOFBUF
FXOS /security/trustpoint* # commit-buffer
FXOS /security/trustpoint # end
FXOS # scope licdebug
FXOS /license/licdebug # renew

 

Firepower - Software Upgrade

For Firepower-based devices, upgrade to one of the Firepower software versions shown in the table and run the additional commands in order to resolve the root CA certificate issue for affected devices.

Release Version Fixed Version
Firepower 6.1.x Migrate to a fixed release
Firepower 6.2.x Firepower 6.2.3.18 or later
Firepower 6.3.x Migrate to a fixed release
Firepower 6.4.x Firepower 6.4.0.13 or later
Firepower 6.5.x Migrate to a fixed release
Firepower 6.6.x Firepower 6.6.5 or later
Firepower 6.7.x Firepower 6.7.0.3 or later

Note: An update to Firepower 7.0 or later will resolve the field notice issue and requires no additional manual steps.

For Firepower 6.7 or earlier, after you upgrade the FMC to a fixed version, remove the certificate file at /etc/sf/gch/call_home_ca and restart the Smart Licensing Agent (sla) process to resume communications with Cisco Smart Software Manager (CSSM) with these steps:

  1. Access the CLI. For FMC deployments, log in to the FMC CLI as admin or another user with shell access.
  2. Enter the expert command in order to access the Linux shell.
  3. Elevate the user to root with the sudo su – command and enter the password when prompted.
  4. Remove the /etc/sf/gch/call_home_ca file with the rm /etc/sf/gch/call_home_ca command.
  5. Restart the Smart Licensing Agreement process with the pmtool restartbyid sla command.

 

Firepower - Manual Certificate Update

For devices managed by FMC, the issue can be resolved for the Smart Licensing service only without an upgrade to the Firepower software. For services other than Smart Licensing, a software upgrade is required to fix the issue.

Complete these steps in order to manually import the IdenTrust Commercial Root CA 1 certificate. Do not use this workaround when you use Common Criteria (CC) Mode or for devices managed by Firepower Device Manager (FDM). Instead, upgrade to one of the Firepower software versions provided in the table.

  1. Enter sudo su - in order to elevate to root.
  2. Enter mv /etc/sf/gch/call_home_ca /etc/sf/gch/call_home_ca.bak in order to back up the current certificate.
  3. Create a new certificate file.
    1. Enter vim /etc/sf/gch/call_home_ca.
    2. Press the i key in order to enter editing mode.
    3. Copy and paste this IdenTrust Commercial Root CA 1 certificate into the file. 
      -----BEGIN CERTIFICATE-----
MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK
MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVu
VHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQw
MTE2MTgxMjIzWjBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScw
JQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT
3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYofWjK9ouuU
+ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gp
S0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1
bVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORi
T0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCL
vYf5jysjCiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjK
Vsk9+w8YfYs7wRPCTY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZK
dHzVWYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHT
c+XvvqDtMwt0viAgxGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hv
l7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6aMN7/zHwcz09lCqxC0EOoP5N
iGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcNAQELBQAD
ggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH
6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwt
LRvM7Kqas6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93
nAbowacYXVKV7cndJZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3
+wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRK
W2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pT
AwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU47/rokTLq
l1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG
4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZ
mUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A
7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6H
-----END CERTIFICATE-----
    4. Press the ESC key in order to exit editing mode.
    5. Enter :wq and then press the ENTER key in order to save the file and exit.
  4. Enter pmtool restartbyid sla in order to restart the Smart Licensing Agreement process and use the updated IdenTrust certificate.

Additional Information

Cisco has created a web page to provide customers and partners with additional information on this issue. Consult the QuoVadis Root CA 2 Decommission page for a full list of products affected, associated Field Notices, and frequently asked questions.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products