BugZero | Cisco BugID CSCwe28717 - Certifcate failures observed when joining APs to 9...

OPERATIONAL DEFECT DATABASE

...

BugZero | Cisco BugID CSCwe28717 - Certifcate failures observed when joining APs to 9...

Cisco - Defect ID: CSCwe28717

Certifcate failures observed when joining APs to 9800 using CMCA III

Cisco - Defect ID: CSCwe28717

Certifcate failures observed when joining APs to 9800 using CMCA III

Last updated on September 8th, 2025

BugZero Risk Score
7.8 High

Overall: 7.8

Severity: 8.2

Lifecycle: 9.1

Popularity: 5.1

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Description

General

we shouldnt see the certificate error isse and AP should able to join controller properly without any issues after upgrading to latest 17.9.3 image

Symptom

Certificate issues causing DTLS failures may be observed when joining APs to a 9800 using the new CMCA III certificate structure AP console error: display_verify_cert_status: Verify Cert: FAILED at 0 depth: unable to get local issuer certificate

Conditions

Issue is seen in 17.7.1 through 17.9.2

Workaround

workaround is to toggle wireless management trustpoint: WLC#conf t WLC(config)#wireless management trustpoint dummy WLC(config)#no wireless management trustpoint dummy WLC(config)#end WLC#

Further Problem Description

From 17.7.1 onwards WLC and AP supports SUDI-2099 certificate. If AP tries to join from older version then WLC will identify AP old version doesn't support SUDI-2099 and then presents SHA2-2037 SUDI in DTLS handshake. There is a race-condition issue during bootup (when IOSd is busy) and SHA2-2037 loading in DTLS fails. Once we toggle 'wireless management trustpoint ' configuration (set then remove) then SUDI cert loading will be retriggered in DTLS.

Change history

2025-09-08 Added: 17.12.6, 17.15.4, 17.15.4a, 17.18.1, 17.18.1a

2025-08-25 Added: 17.15.4, 17.15.4a, 17.18.1, 17.18.1a

2025-08-18 Added: 17.15.4, 17.15.4a

2025-07-07 Added: 17.11.1, 17.11.1a, 17.12.02a, 17.12.1, 17.12.1a, 17.12.1w, 17.12.1x, 17.12.1y, 17.12.1z, 17.12.1z1, 17.12.1z2, 17.12.1z3, 17.12.1z4, 17.12.2, 17.12.2a, 17.12.3, 17.12.3a, 17.12.4, 17.12.4a, 17.12.4b, 17.12.5, 17.12.5a, 17.12.5b, 17.13.1, 17.13.1a, 17.14.1, 17.14.1a, 17.15.1, 17.15.1a, 17.15.1b, 17.15.1w, 17.15.1x, 17.15.1y, 17.15.2, 17.15.2a, 17.15.2b, 17.15.2c, 17.15.3, 17.15.3a, 17.15.3b, 17.16.1, 17.16.1a, 17.17.1, 17.9.3, 17.9.3a, 17.9.4, 17.9.4a, 17.9.5, 17.9.5a, 17.9.5b, 17.9.5c, 17.9.5d, 17.9.5e, 17.9.5f, 17.9.6, 17.9.6a, 17.9.6b, 17.9.7, 17.9.7a, 17.9.7b

Links

Original Vendor Announcement

Relevant Products

Click on a version to see all relevant bugs

Affected versions:No known affected versions

Fixed versions: 17.11.1, 17.11.1a, 17.12.02a, 17.12.1, 17.12.1a, 17.12.1w, 17.12.1x, 17.12.1y, 17.12.1z, 17.12.1z1, 17.12.1z2, 17.12.1z3, 17.12.1z4, 17.12.2, 17.12.2a, 17.12.3, 17.12.3a, 17.12.4, 17.12.4a, 17.12.4b, 17.12.5, 17.12.5a, 17.12.5b, 17.12.6, 17.13.1, 17.13.1a, 17.14.1, 17.14.1a, 17.15.1, 17.15.1a, 17.15.1b, 17.15.1w, 17.15.1x, 17.15.1y, 17.15.2, 17.15.2a, 17.15.2b, 17.15.2c, 17.15.3, 17.15.3a, 17.15.3b, 17.15.4, 17.15.4a, 17.16.1, 17.16.1a, 17.17.1, 17.18.1, 17.18.1a, 17.9.3, 17.9.3a, 17.9.4, 17.9.4a, 17.9.5, 17.9.5a, 17.9.5b, 17.9.5c, 17.9.5d, 17.9.5e, 17.9.5f, 17.9.6, 17.9.6a, 17.9.6b, 17.9.7, 17.9.7a, 17.9.7b

Relevant Products

Click on a version to see all relevant bugs

Affected versions:No known affected versions

Top Cisco Defects

9.7Defect ID: CSCwh87343
Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
9.7Defect ID: CSCwf08698
Cat9k Crashes Unexpectedly due to a Fault in the 'TLSCLIENT_PROCESS'
9.7Defect ID: CSCvm90995
ASR1000-RP2: Rommon fails to boot Cisco IOS software of 1GB size
9.7Defect ID: CSCvx32806
Access Points stuck in bootloop due to image checksum verification failed
9.7Defect ID: CSCwc94466
Cisco ASA/FTD Firepower 2100 SSL/TLS Denial of Service Vulnerability

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwe28717

Certifcate failures observed when joining APs to 9800 using CMCA III

Cisco - Defect ID: CSCwe28717

Certifcate failures observed when joining APs to 9800 using CMCA III

Last updated on September 8th, 2025

BugZero Risk Score7.8 High

Bug Details

General

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco Defects

Ready to prevent the next vendor outage?

BugZero Risk Score
7.8 High