Symptom
Wiki on the issue
FAQ for PSIRT-0906512421 QuoVadis root CA decommission - External - Cryptographic Services Wiki (cisco.com)
Infosec URL to download the latest cert package
http://www.cisco.com/security/pki/trs/ios_core.p7b
Where the new IdenTrust cert can be downloaded until Cisco products are released with updated package.
https://www.identrust.com/identrust-commercial-root-ca-1
Conditions
there is a QuoVadis cert decommission soon. This will impact customers using https to communicate to Cisco as this cert is used for SSL communication validation. For most SL customers, any new certs are downloaded automatically if the embedded cert does not work. But this works as long as the customers allow external communication on http port.
Most Cisco products have the cert package from Infosec embedded into their trust pool. The product teams need to update the package immediately if this is not done automatically in their build systems and make sure a release is done soon so customers don’t have to manually download the cert. This needs to be done before March 31st.
Since customers will need time to update their images, for immediate action they need to be advised to download the cert by themselves and update the product.
Workaround
If there are any issues with the automatic download, manually update the certs using the following sequence of commands:
# disable smart license in the DCNM UI
# on the CLI, as root, stop dcnm
appmgr stop dcnm / service FMServer stop
# go to the agent directory
cd /usr/local/cisco/dcm/fm/conf/agent
rm -f ios_core.p7b
yum install -y wget
wget http://www.cisco.com/security/pki/trs/ios_core.p7b
chown fmserver.fmserver ios_core.p7b
appmgr start dcnm / service FMServer start
# enable and register smart license in the DCNM UI
Further Problem Description
