OPERATIONAL DEFECT DATABASE
...
...
On FMC you might receive health alert related to FTD device: Code - F0853; Description - default Keyring's certificate is invalid, reason: expired The fault is coming from FXOS side: FP# show fault Severity Code Last Transition Time ID Description --------- -------- ------------------------ -------- ----------- Major F0853 2018-06-22T10:05:09.798 126445 default Keyring's certificate is invalid, reason: expired. Once FTD will be upgraded to the one of the Known Fixed Releases, below command should be executed to regenerate certificate: > system support regenerate-security-keyring
Firepower 2100 running FTD application. For FDM or for External API: This will not allow a secure connection to the API. For FMC: The fault do not cause any impact.
For FDM and External API: On FDM, a new self-signed certificate can be generated, or a custom certificate can be imported. On FXOS: Connect to the chassis and run the below commands: # sysopt sam 1001 on # scope security # scope keyring default # set regenerate yes # commit-buffer # sysopt sam 1001 off For FMC: 1) Ignore the health alerts. 2) Disable the "Platform Faults" alerts in the health policy applied to FTD devices (keep in mind that it will disable all Platform Faults alerts). 3) Contact TAC for a workaround to regenerate the certificate. On 6.5.0, a new command has been introduced to generate the certificate: > system support regenerate-security-keyring Successfully regenrated the security keyring.
When running a fixed release, you may potentially be impacted by CSCwe60267. Note that the fault is slightly different as shows up ---FDM Keyring's certificate is invalid, reason: expired--- Rather than ---default Keyring's certificate is invalid, reason: expired---
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
