Symptom
On FMC you might receive health alert related to FTD device:
Code - F0853; Description - default Keyring's certificate is invalid, reason: expired
The fault is coming from FXOS side:
FP# show fault
Severity Code Last Transition Time ID Description
--------- -------- ------------------------ -------- -----------
Major F0853 2018-06-22T10:05:09.798 126445 default Keyring's certificate is invalid, reason: expired.
Once FTD will be upgraded to the one of the Known Fixed Releases, below command should be executed to regenerate certificate:
> system support regenerate-security-keyring
Conditions
Firepower 2100 running FTD application.
For FDM or for External API:
This will not allow a secure connection to the API.
For FMC:
The fault do not cause any impact.
Workaround
For FDM and External API:
On FDM, a new self-signed certificate can be generated, or a custom certificate can be imported.
On FXOS: Connect to the chassis and run the below commands:
# sysopt sam 1001 on
# scope security
# scope keyring default
# set regenerate yes
# commit-buffer
# sysopt sam 1001 off
For FMC:
1) Ignore the health alerts.
2) Disable the "Platform Faults" alerts in the health policy applied to FTD devices (keep in mind that it will disable all Platform Faults alerts).
3) Contact TAC for a workaround to regenerate the certificate.
On 6.5.0, a new command has been introduced to generate the certificate:
> system support regenerate-security-keyring
Successfully regenrated the security keyring.
Further Problem Description
When running a fixed release, you may potentially be impacted by CSCwe60267.
Note that the fault is slightly different as shows up
---FDM Keyring's certificate is invalid, reason: expired---
Rather than
---default Keyring's certificate is invalid, reason: expired---
