Symptom
Auto-update Cycle on Router will cause some certs to be removed.
This causes Baltimore certificate to be removed and TLS connections with Microsoft is removed.
Reference guide for the feature which heavily depends on Trustpool certs:
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/interoperability-portal/direct-routing-with-cube.pdf
Conditions
Certs are imported from non-default Ca-bundle like "http://www.cisco.com/security/pki/trs/ios.p7b"
Default ca-bundle is also present which is "http://www.cisco.com/security/pki/trs/ios_core.p7b"
One of the certificate in either of the bundle is close to expiring triggering auto-update cycle.
Workaround
To workaround this, we removed 2nd import location.
config t
crypto pki trustpool policy
no cabundle url http://www.cisco.com/security/pki/trs/ios_core.p7b
cabundle url http://www.cisco.com/security/pki/trs/ios.p7b
end
wr mem
Further Problem Description
