OPERATIONAL DEFECT DATABASE
...
...
The maximum lifetime of self-signed cert is 00:00:00 UTC Jan 1 2020 Attempting to generate a self-signed IOS/IOS-XE Cert before this date sets the Validity Date End at 00:00:00 UTC Jan 1 2020 or Dec 31 2019 Attempting to generate a self-signed IOS/IOS-XE Cert after this date results in the error: 002715: .Jan 1 10:12:12.351: ../cert-c/source/certobj.c(535) : E_VALIDITY : validity period start later than end
IOS/IOS-XE PKI Self-Signed Certificate
1. Upgrade to a fixed release. 2. Use 3rd party CA to sign and issue the certificate. 3. Use the IOS CA Server hosted locally to sign the certificate 4. Use openssl to generate a PKCS12 to import with the following command: Base64: openssl req -newkey rsa:2048 -nodes -keyout tmp.key -x509 -days 5000 -out tmp.cer -subj "/CN=SelfSignedCert" && openssl pkcs12 -export -in tmp.cer -inkey tmp.key -out tmp.bin -passout pass:Cisco123 && openssl base64 -in tmp.bin && rm tmp.bin tmp.key tmp.cer PKCS12 PFX: openssl req -newkey rsa:2048 -nodes -keyout tmp.key -x509 -days 5000 -out tmp.cer -subj "/CN=SelfSignedCert" && openssl pkcs12 -export -in tmp.cer -inkey tmp.key -out tmp.bin -passout pass:Cisco123 && openssl pkcs12 -export -out certificate.pfx -password pass:Cisco123 -inkey tmp.key -in tmp.cer && rm tmp.bin tmp.key tmp.cer
Further details on the impact of this defect are available in the following Field Notice: https://www.cisco.com/c/en/us/support/docs/field-notices/704/fn70489.html
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
