General
Recently, there was an industry-wide issue affecting the revocation abilities of certain CAs. Cisco has identified that a QuoVadis CA certificate in our trust chain has been impacted and will be decommissioned in the next few months. This fix is needed to work with newer certificates from Identrust CA. To accept newer certificates from the IdenTrust Commercial Root CA 1 that will be used to issue SSL certificates previously issued by the QuoVadis RootCA 2, a code change is needed.
Symptom
Without this fix there might be issues when a Nexus device is trying to connect to a Cisco server that has an Identrust root CA issued certificate. Affected platforms will be unable to register with the Smart Licensing and Smart Call Home server hosted by tools.cisco.com. Smart licenses might fail entitlement and reflect an Out of Compliance status.
Conditions
This will happen when a secure connection is being attempted with a Cisco server hosting Smart Licensing and Smart Call home server.
Workaround
Users have an import option where they can import the root-ca trustpool from a provided url and this way they can install the new trustpool which meets all requirements.
Further Problem Description
Recently, there was an industry-wide issue affecting the revocation abilities of certain CAs. Cisco has identified that a QuoVadis CA certificate in our trust chain has been impacted and will be decommissioned in the next few months.
To address this, the IdenTrust Commercial Root CA 1 will be used to issue SSL certificates previously issued by the QuoVadis RootCA 2.
PSIRT Evaluation
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html
