BugZero | Cisco BugID CSCwf94778 - C9200 uses H/W SUDI cert expiry date as 2029 inste...

Cisco - Defect ID: CSCwf94778

C9200 uses H/W SUDI cert expiry date as 2029 instead of 2099

Cisco - Defect ID: CSCwf94778

C9200 uses H/W SUDI cert expiry date as 2029 instead of 2099

Last updated on 6/3/2025

Overall: 7.77.7

Severity: 8.28.2

Lifecycle: 9.19.1

Popularity: 3.73.7

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 7.77.7

Severity: 8.28.2

Lifecycle: 9.19.1

Popularity: 3.73.7

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

A Cisco Secure Unique Device Identifier (SUDI) certificate that is registered to a Public Key Infrastructure (PKI) and that is also used to configure certain functionalities will expire on a limited number of Cisco Catalyst 9000 Switching products. Any service that relies on a SUDI certificate to establish a secure connection might not work after the certificate expires.

Conditions

Determine if a SUDI trust point is used, enter this command: Switch# show run | i CISCO_IDEVID_SUDI For example, features that might be linked to the SUDI certificate are shown in these sample configurations: HTTPS ip http secure-trustpoint CISCO_IDEVID_SUDI ip http client secure-trustpoint CISCO_IDEVID_SUDI SSH authentication that uses certificates ip ssh server certificate profile server trustpoint sign CISCO_IDEVID_SUDI Zero Touch Deployment (ZTD) that uses a certificate enro+llment profile for enrollment or reenrollment crypto pki profile enrollment profile-name credential CISCO_IDEVID_SUDI And... Cat9kSwitch#show crypto pki certificates Certificate Status: Available Certificate Serial Number (hex): 0380EC27 Certificate Usage: General Purpose Issuer: cn=ACT2 SUDI CA o=Cisco Subject: Name: C9200-24T Serial Number: PID:C9200-24T SN:JAD23060F5A cn=C9200-24T ou=ACT-2 Lite SUDI o=Cisco serialNumber=PID:C9200-24T SN:JAD23060F5A Validity Date: start date: 08:37:26 UTC Feb 12 2019 end date: 20:25:41 UTC May 14 2029 <<====== If year is NOT 2099 but 2037 or 2029 or early. Associated Trustpoints: CISCO_IDEVID_SUDI

Workaround

Please refer field notice for more details.

Further Problem Description

Any services that rely on a trust point that is configured with an expired Cisco SUDI certificate will be affected. Some examples are: • HTTP Server over TLS (HTTPS) - HTTPS will produce an error in the browser which indicates that the certificate is expired. • SSH Server - Applications that use SUDI certificates to authenticate the SSH session might fail to authenticate. Note: This use of SUDI certificates is rare. Username/password authentication and non-SUDI public/private key authentication are not affected.

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwf94778

C9200 uses H/W SUDI cert expiry date as 2029 instead of 2099

Cisco - Defect ID: CSCwf94778

C9200 uses H/W SUDI cert expiry date as 2029 instead of 2099

Last updated on 6/3/2025

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?