Field Notice: FN74397 - Cisco Catalyst Center Server Certificate Client EKU Is Not Supported by Public Certficate Authorities after May 15, 2026 - Software Upgrade Recommended
Available Languages
Notice
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Products Affected
| Affected Software Product | Affected Release | Affected Release Number | Comments |
|---|---|---|---|
| DNA Center Software | 2 | 2.3.7.0, 2.3.7.0-AIRGAP, 2.3.7.0-AIRGAP-EFT1, 2.3.7.0-AIRGAP-MDNAC, 2.3.7.0-VA, 2.3.7.10, 2.3.7.10-AIRGAP, 2.3.7.10-AIRGAP-EFT1, 2.3.7.10-EFT1, 2.3.7.10-VA, 2.3.7.10-VA-EFT1, 2.3.7.10AIRGAP-MDNAC, 2.3.7.3, 2.3.7.3-AIRGAP, 2.3.7.3-AIRGAP-MDNAC, 2.3.7.3-VA, 2.3.7.4, 2.3.7.4-AIRGAP, 2.3.7.4-AIRGAP-EFT1, 2.3.7.4-AIRGAP-MDNAC, 2.3.7.4-EFT1, 2.3.7.4-EFT1-wl, 2.3.7.4-EFT2, 2.3.7.4-EFT3, 2.3.7.4-SUNEFT, 2.3.7.4-SUNEFT1, 2.3.7.4-VA, 2.3.7.4-VA-EFT1, 2.3.7.4-VA-EFT2, 2.3.7.4-VA-EFT3, 2.3.7.5, 2.3.7.5-AIRGAP, 2.3.7.5-EFT1, 2.3.7.5-VA, 2.3.7.5-VA-EFT1, 2.3.7.5-VA-EFT2, 2.3.7.6, 2.3.7.6-AIRGAP, 2.3.7.6-AIRGAP-MDNAC, 2.3.7.6-CCGM-EFT1, 2.3.7.6-EFT1, 2.3.7.6-EFT2, 2.3.7.6-EFT3, 2.3.7.6-VA, 2.3.7.7, 2.3.7.7-AIRGAP, 2.3.7.7-AIRGAP-MDNAC, 2.3.7.7-VA, 2.3.7.9, 2.3.7.9-70301-GSMU10, 2.3.7.9-70301-SMU1, 2.3.7.9-75403-GSMU10, 2.3.7.9-75403-SMU10, 2.3.7.9-AIRGAP, 2.3.7.9-AIRGAP-MDNAC, 2.3.7.9-EFT1, 2.3.7.9-VA, 2.3.7.9-VA-EFT1, 2.3.7.9.75403.10-VA | All software versions prior to 2.3.7.11 |
| DNA Center Software | 3 | 3.1.3, 3.1.3-EFT1, 3.1.3-EFT2, 3.1.3-EFT3, 3.1.3-EFT4, 3.1.3-EFT5, 3.1.3-EFT6, 3.1.3-VA, 3.1.5, 3.1.5-EFT1, 3.1.5-RevUp, 3.1.5-VA, 3.1.5-VA on AWS, 3.1.6, 3.1.6-BETA, 3.1.6-EFT1, 3.1.6-EFT2, 3.1.6-VA, 3.1.6-VA-EFT2, 3.2.1-EFT1 | All software versions prior to 3.1.6 GSMU 200 and 3.2.2 |
Defect Information
| Defect ID | Headline |
| CSCwt38873 | [2.3.7.11 RC3] CATC ISE Integration - Failed Client EKU validation - Leaves checkbox checked breaking integration |
| CSCwt20914 | [2.3.7.11-75024/3.2.1-75427] System Certificate EKU clientAuth shall be optional |
Problem Description
There are two problems:
- If an administrator follows the procedure to replace a Cisco Catalyst Center server certificate, Cisco Catalyst Center generates a Certificate Signing Request (CSR) with an X509 Extension for Extended Key Usage (EKU) that includes both server and client authentication (serverAuth and clientAuth). These CSRs will no longer be honored by public certificate authorities (CA) beginning May 15, 2026.
- Cisco Catalyst Center integration with Cisco Identity Services Engine (ISE) by using pxGrid will fail if Catalyst Center is configured to use the server certificate with pxGrid and the certificate does not contain both the client EKU and server EKU.
Background
Historically, public CAs have provided the option to generate signed server SSL certificates that contain the EKU for both server and client authentication. These certificates are often used to provide server or website authentication and client authentication through the same certificate, for example, with mutual TLS (mTLS). SSL certificates with the server EKU are primarily intended to provide server authentication, such as with secure connections between browsers and public websites. Security risk is increased if the same certificate is also used for device authentication. Because of this increased risk, browser root programs have announced that they are updating their certificate root policy to no longer trust certificates that contain both server and client EKU (Reference: Google Chrome Root Program Policy). In addition, public CAs have announced that starting May 15, 2026, they will no longer generate server SSL certificates containing the client EKU.
Affected releases of Cisco Catalyst Center software assume that a CA-signed server certificate includes both server and client EKU in two relevant of circumstances: When the user generates a CSR to replace the server certificate and when the server certificate is used for Cisco ISE integration through pxGrid. Existing, unexpired, CA-signed server certificates are not affected and no failure symptoms occur. However, if the Cisco Catalyst Center server certificate is renewed after May 15, 2026 or otherwise installed without the client EKU, the failure symptoms will occur.
Problem Symptom
Cisco Catalyst Center products can be affected by potential authentication issues and impacted functionality caused by using server authentication-only certificates provided by public root CAs.
Symptom 1:
If the user attempts to refresh the Cisco Catalyst Center server certificate by using the System > Settings > Certificates > System Certificates path and generates a new CSR, the user interface does not allow the clientAuth EKU to be deselected. The resulting CSR includes both the server and client EKU, and will not be honored by the CA after May 15, 2026.
Symptom 2:
If a Cisco Catalyst Center server certificate that does not have the clientAuth EKU is installed and the user configures Cisco ISE integration with pxGrid to use the server certificate, ISE integration will fail. Cisco ISE pxGrid requires a certificate with both the server and client EKU. If a Cisco Catalyst Center server certificate that contains both server and client EKU was previously used successfully for pxGrid, and the certificate is later replaced with one that does not have client EKU, the user does not have the option to change the configuration to allow Cisco ISE to generate the pxGrid certificate. The checkbox for Use Catalyst Center certificate for pxGrid on the System Settings > Authentication and Policy Servers > Add ISE > Advanced Settings page is disabled but left in the checked state and cannot be changed. Cisco Catalyst Center will attempt to use the new server certificate for pxGrid and the connection will fail.
Workaround/Solution
Solution
To fix the two EKU problems described in this notice, upgrade Cisco Catalyst Center software to one of the following software releases that contain the fixes:
- Release 2.3.7.11
- Release 3.1.6-GSMU 200
- Release 3.2.2
Alternatively, switch to a private (internal) CA to generate the Cisco Catalyst Center server certificate. Private CAs can continue to sign SSL certificates that include both server EKU and client EKU.
Workaround for Problem 1:
Use OpenSSL instead of Cisco Catalyst Center to generate the CSR and omit clientAuth EKU in the CSR. See the section titled "Generate a certificate request using OpenSSL" in the Cisco Catalyst Center Security Best Practices Guide for detailed instructions.
Workaround for Problem 2:
Uncheck the checkbox Use Catalyst Center certificate for pxGrid before replacing the Cisco Catalyst Center server certificate with one that does not contain the client EKU. This will successfully configure Cisco Catalyst Center to use the Cisco ISE-generated certificate for pxGrid instead.
How to Identify Affected Products
To determine if a serial number is affected, see the Serial Number Validation section of this field notice.
Revision History
| Version | Description | Section | Date |
| 1.0 | Initial Release | — | 2026-MAY-11 |
For More Information
For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:
Receive Email Notification About New Field Notices
To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications.
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)
This Document Applies to These Products
Unleash the Power of TAC's Virtual Assistance