QuoVadis Root CA 2 Decommission and Transition to IdenTrust Commercial Root CA 1 - Action Required


Overview

Many Cisco products and public-facing services are transitioning from a QuoVadis Public Key Infrastructure (PKI) Certificate Authority (CA) to a CA provided by IdenTrust. This transition requires that all affected Cisco products be upgraded to recognize PKI certificates provided by the IdenTrust CA. Cisco has published field notices to provide specific instructions on how to perform this PKI upgrade on affected products.

Background

Cisco Products and Software communicate to backend and cloud services using Transport Layer Security (TLS) or its predecessor Secure Sockets Layer (SSL). PKI Certificates allow for secure connections to public-facing services on Cisco.com like Smart License and Smart Call Home.

In July of 2020, there was an industry-wide issue affecting the revocation abilities of certain Certificate Authorities (CA). As a result, DigiCert (which operates the QuoVadis Root CA 2) opted to decommission the use of this root for any new TLS certificate issuance. Cisco consequently transitioned to a different PKI service provided by IdenTrust, issued from the IdenTrust Commercial Root CA 1. This means Cisco’s public-facing services are migrating their certificates from the QuoVadis Root CA 2 to the IdenTrust Commercial Root CA 1 and Cisco products and software are being updated to include IdenTrust Commercial Root CA 1 in their PKI trust store.

Refer to the Field Notices below for information on how to add the new IdenTrust Commercial Root CA 1 to your product.

More Information

For more information on the industry-wide revocation Issue, consult the following web document: https://www.digicert.com/dc/blog/working-with-delegated-ocsp-responders-and-eku-chaining/

Field Notices

Cisco is providing notification via Field Notices to help customers transition their products to IdenTrust Commercial Root CA 1 and minimize disruption. Cisco recommends customers apply the Software Upgrade or Manual Workaround identified in the Field Notices.

There are no known security implications associated with this issue. However, Cisco recommends customers always review the latest Security Advisories at www.cisco.com/go/psirt before making upgrade decisions.

Note: Field Notices may be updated periodically.

Technology Area/Product Field Notice and Solution
Collaboration
Cisco Unity Express FN72314
Unified Contact Center Express (UCCX) and Customer Collaboration Portal (CCP) FN70557
Cisco Unified SIP Proxy FN72315
CUCM, SME, and IM&P, Incoming Calls to Cisco Jabber/WebEx (Android and iOS) FN72120
Expressway and VCS FN70527
Cisco Unity Connection FN72291
Cisco Emergency Responder FN72289
Cisco Unified Communications Manager/Session Management Edition FN72318
Prime License Manager FN72121
Unified Contact Center Enterprise (UCCE)/Packaged Contact Center Enterprise (PCCE) and Unified Customer Voice Portal (CVP) FN72306
Data Center
Nexus Product Line FN72115
Enterprise Networking
Cisco IOS XE Software FN72323
Converged Broadband Router (cBR8) FN72116
Prime Infrastructure FN72110
Cisco Identity Services Engine FN72111
Cisco DNA Center FN72359
AireOS FN72415
Internet of Things
IE3x00 and ESS3x00 Switches FN72298
Security
ASA and Firepower FN72103
Security Management Appliance (SMA) FN72109
Cisco Secure Email Gateway (ESA) and Web Security Appliance (WSA) FN72113
Email Security Appliance FN72106
Secure Network Analytics FN72369
Service Provider
Cisco IOS XR Software FN72290
Small Business
Cisco 2 Port Phone Adapter SPA112, Cisco SPA122 FN72345
Cisco IP Phones: SPA5xx FN72352
Cisco Unified IP Conference Phone CP-8831 FN72366
Cisco Business Wireless Access Points CBW14x/24x FN72353
Smart Licensing
Cisco Smart License Utility (CSLU) Not Impacted
Cisco Smart Software Manager On-Prem Not Impacted

Frequently Asked Questions (FAQ)

Q: As Cisco migrates from QuoVadis Root CA 2 to IdenTrust Commercial Root CA1, will my existing device certificates continue to be valid?

All existing certificates issued from the QuoVadis Root CA 2 will continue to be valid until their natural expiration. However, for a full overview of any potential impact, please consider the following two questions as well.

Q: Will my device continue to function as expected?

Consult the individual Field Notice for impact.

Q: My device’s QuoVadis Root CA 2 certificate is not expiring, is my device still affected?

Cisco public-facing services are also migrating from QuoVadis Root CA 2 to IdenTrust Commercial CA 1. As these migrations occur, the affected devices will not be able to connect unless they have been upgraded to include the IdenTrust Commercial Root CA 1. Refer to the table below for QuoVadis Root CA 2 certificate expiration date. Refer to individual Field Notice for product-specific impact dates.

Cisco Cloud Server QuoVadis Certificate Expiration Date Affected Services
tools.cisco.com February 5, 2022
  • Smart Licensing
  • Smart Call Home
smartreceiver.cisco.com January 26, 2023
  • Smart Licensing

Q: Is Cisco’s QuoVadis Root CA 2 Certificate revoked?

No. The QuoVadis Root CA 2 is NOT being revoked and this transition carries no security implications. The existing QuoVadis Root CA 2 certificates on Cisco products are valid and will continue to be valid until their expiration date.

Q: Should QuoVadis Root CA 2 Certificate be removed from Cisco Products?

No. The QuoVadis Root CA 2 certificates should not be summarily removed from Cisco products. Some Cisco services will continue to use QuoVadis Root CA 2 until they complete their individual migration to IdenTrust.

Q: Where can I find the new IdenTrust Commercial Root CA 1 certificate in .pem format?

The .pem file is included as part of the specific product software upgrade image. It is also provided inline in each Field Notice. The IdenTrust Commercial Root CA 1 was included in the Cisco Core Trusted Root Bundle as of the November 2020 update.

Q: Is Cisco moving away from HydrantID as the supplier of TLS Certificates?

No. HydrantID will continue to provide TLS certificates for Cisco. Due to the recent acquisition of HydrantID by IdentTrust/HID, they are now able to offer Cisco more robust Root CA options for public trust.

Q: I have a question not addressed here. Where do I go for an answer?

For additional information, please contact your contracted support organization. If your organization receives support directly from Cisco, please see Cisco Worldwide Support Contacts.

 

This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.


Back to Top