FN-70489: PKI Self-Signed Certificate Expiration

FN-70489: PKI Self-Signed Certificate Expiration

With the release of Star Wars TRoS this past Friday, the only “FN” on most people’s minds was FN-2187 (Finn). However, another FN was released on December 17th and that’s the topic of our post today. FN-70489

Now this FN on the surface sounds VERY concerning, but let’s dive a little deeper to see if in fact, you may be impacted.

The most important statement is in the “Note” of the Problem Description

“To be impacted by this issue, a device must have a self-signed certificate defined AND the self-signed certificate must be applied to one or more features as outlined below.”

As we can see, it’s a two part problem.

  1. Do you have self-signed certs that expire on January 1st, 2020
  2. Are there any services running that use said self-signed certs

The good news is that I spent time with my clients and while #1 may have been true, #2 was false, so we were NOT impacted. Both conditions 1 & 2 have to be met to be impacted.

The most common service that comes to mind is SSH access for management. The good news is if you used the RSA key pair (crypto key generate rsa…) you are NOT impacted. Only X.509 certs used for SSH would be impacted and this is a really rare situation.

Same thing can be said for HTTPS (ip http secure-server), but I hope for security reasons, most folks disable this service.

Here’s an example of me validating my own C3850.

n3tArk_3850#sh run | begin crypto

enrollment selfsigned < I have a self-signed cert

Now I must check to see if any of my services are using the self-signed cert

n3tArk_3850#sh run | include ip ssh

ip ssh source-interface Vlan777

ip ssh version 2

< not using the self-signed cert, OK

If I was using the built-in x509 cert it would look something like this >

ip ssh server certificate profile

 server

  trustpoint sign TP-self-signed-xxxxxx

All that said, it’s really not as bad as the original problem statement may elude to.

The world of networking will NOT end on January 1st, 2020 as you ring in the new year. 😉

Merry Christmas and Happy New Year!

Reference FN Notice: https://www.cisco.com/c/en/us/support/docs/field-notices/704/fn70489.html

Technical Overview: https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215118-ios-self-signed-certificate-expiration-o.html

Comments are closed.