OPERATIONAL DEFECT DATABASE
...
...
A Cisco Secure Unique Device Identifier (SUDI) certificate that is registered to a Public Key Infrastructure (PKI) and that is also used to configure certain functionalities will expire on a limited number of Cisco Catalyst 9000 Switching products. Any service that relies on a SUDI certificate to establish a secure connection might not work after the certificate expires.
Determine if a SUDI trust point is used, enter this command: Switch# show run | i CISCO_IDEVID_SUDI For example, features that might be linked to the SUDI certificate are shown in these sample configurations: HTTPS ip http secure-trustpoint CISCO_IDEVID_SUDI ip http client secure-trustpoint CISCO_IDEVID_SUDI SSH authentication that uses certificates ip ssh server certificate profile server trustpoint sign CISCO_IDEVID_SUDI Zero Touch Deployment (ZTD) that uses a certificate enro+llment profile for enrollment or reenrollment crypto pki profile enrollment profile-name credential CISCO_IDEVID_SUDI And... Cat9kSwitch#show crypto pki certificates Certificate Status: Available Certificate Serial Number (hex): 0380EC27 Certificate Usage: General Purpose Issuer: cn=ACT2 SUDI CA o=Cisco Subject: Name: C9200-24T Serial Number: PID:C9200-24T SN:JAD23060F5A cn=C9200-24T ou=ACT-2 Lite SUDI o=Cisco serialNumber=PID:C9200-24T SN:JAD23060F5A Validity Date: start date: 08:37:26 UTC Feb 12 2019 end date: 20:25:41 UTC May 14 2029 <<====== If year is NOT 2099 but 2037 or 2029 or early. Associated Trustpoints: CISCO_IDEVID_SUDI
Please refer field notice for more details.
Any services that rely on a trust point that is configured with an expired Cisco SUDI certificate will be affected. Some examples are: • HTTP Server over TLS (HTTPS) - HTTPS will produce an error in the browser which indicates that the certificate is expired. • SSH Server - Applications that use SUDI certificates to authenticate the SSH session might fail to authenticate. Note: This use of SUDI certificates is rare. Username/password authentication and non-SUDI public/private key authentication are not affected.
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
