Many Cisco products and public-facing services are transitioning from a QuoVadis Public Key Infrastructure (PKI) Certificate Authority (CA) to a CA provided by IdenTrust. This transition requires that all affected Cisco products be upgraded to recognize PKI certificates provided by the IdenTrust CA. Cisco has published field notices to provide specific instructions on how to perform this PKI upgrade on affected products.
Background
Cisco Products and Software communicate to backend and cloud services using Transport Layer Security (TLS) or its predecessor Secure Sockets Layer (SSL). PKI Certificates allow for secure connections to public-facing services on Cisco.com like Smart License and Smart Call Home.
In July of 2020, there was an industry-wide issue affecting the revocation abilities of certain Certificate Authorities (CA). As a result, DigiCert (which operates the QuoVadis Root CA 2) opted to decommission the use of this root for any new TLS certificate issuance. Cisco consequently transitioned to a different PKI service provided by IdenTrust, issued from the IdenTrust Commercial Root CA 1. This means Cisco’s public-facing services are migrating their certificates from the QuoVadis Root CA 2 to the IdenTrust Commercial Root CA 1 and Cisco products and software are being updated to include IdenTrust Commercial Root CA 1 in their PKI trust store.
Refer to the Field Notices below for information on how to add the new IdenTrust Commercial Root CA 1 to your product.
More Information
For more information on the industry-wide revocation Issue, consult the following web document: https://www.digicert.com/dc/blog/working-with-delegated-ocsp-responders-and-eku-chaining/
Cisco is providing notification via Field Notices to help customers transition their products to IdenTrust Commercial Root CA 1 and minimize disruption. Cisco recommends customers apply the Software Upgrade or Manual Workaround identified in the Field Notices.
There are no known security implications associated with this issue. However, Cisco recommends customers always review the latest Security Advisories at www.cisco.com/go/psirt before making upgrade decisions.
Note: Field Notices may be updated periodically.
Technology Area/Product | Field Notice and Solution |
---|---|
Collaboration | |
Cisco Unity Express | FN72314 |
Unified Contact Center Express (UCCX) and Customer Collaboration Portal (CCP) | FN70557 |
Cisco Unified SIP Proxy | FN72315 |
CUCM, SME, and IM&P, Incoming Calls to Cisco Jabber/WebEx (Android and iOS) | FN72120 |
Expressway and VCS | FN70527 |
Cisco Unity Connection | FN72291 |
Cisco Emergency Responder | FN72289 |
Cisco Unified Communications Manager/Session Management Edition | FN72318 |
Prime License Manager | FN72121 |
Unified Contact Center Enterprise (UCCE)/Packaged Contact Center Enterprise (PCCE) and Unified Customer Voice Portal (CVP) | FN72306 |
Data Center | |
Nexus Product Line | FN72115 |
Enterprise Networking | |
Cisco IOS XE Software | FN72323 |
Converged Broadband Router (cBR8) | FN72116 |
Prime Infrastructure | FN72110 |
Cisco Identity Services Engine | FN72111 |
Cisco DNA Center | FN72359 |
AireOS | FN72415 |
Internet of Things | |
IE3x00 and ESS3x00 Switches | FN72298 |
Security | |
ASA and Firepower | FN72103 |
Security Management Appliance (SMA) | FN72109 |
Cisco Secure Email Gateway (ESA) and Web Security Appliance (WSA) | FN72113 |
Email Security Appliance | FN72106 |
Secure Network Analytics | FN72369 |
Service Provider | |
Cisco IOS XR Software | FN72290 |
Small Business | |
Cisco 2 Port Phone Adapter SPA112, Cisco SPA122 | FN72345 |
Cisco IP Phones: SPA5xx | FN72352 |
Cisco Unified IP Conference Phone CP-8831 | FN72366 |
Cisco Business Wireless Access Points CBW14x/24x | FN72353 |
Smart Licensing | |
Cisco Smart License Utility (CSLU) | Not Impacted |
Cisco Smart Software Manager On-Prem | Not Impacted |
Q: As Cisco migrates from QuoVadis Root CA 2 to IdenTrust Commercial Root CA1, will my existing device certificates continue to be valid?
All existing certificates issued from the QuoVadis Root CA 2 will continue to be valid until their natural expiration. However, for a full overview of any potential impact, please consider the following two questions as well.
Q: Will my device continue to function as expected?
Consult the individual Field Notice for impact.
Q: My device’s QuoVadis Root CA 2 certificate is not expiring, is my device still affected?
Cisco public-facing services are also migrating from QuoVadis Root CA 2 to IdenTrust Commercial CA 1. As these migrations occur, the affected devices will not be able to connect unless they have been upgraded to include the IdenTrust Commercial Root CA 1. Refer to the table below for QuoVadis Root CA 2 certificate expiration date. Refer to individual Field Notice for product-specific impact dates.
Cisco Cloud Server | QuoVadis Certificate Expiration Date | Affected Services |
---|---|---|
tools.cisco.com | February 5, 2022 |
|
smartreceiver.cisco.com | January 26, 2023 |
|
Q: Is Cisco’s QuoVadis Root CA 2 Certificate revoked?
No. The QuoVadis Root CA 2 is NOT being revoked and this transition carries no security implications. The existing QuoVadis Root CA 2 certificates on Cisco products are valid and will continue to be valid until their expiration date.
Q: Should QuoVadis Root CA 2 Certificate be removed from Cisco Products?
No. The QuoVadis Root CA 2 certificates should not be summarily removed from Cisco products. Some Cisco services will continue to use QuoVadis Root CA 2 until they complete their individual migration to IdenTrust.
Q: Where can I find the new IdenTrust Commercial Root CA 1 certificate in .pem format?
The .pem file is included as part of the specific product software upgrade image. It is also provided inline in each Field Notice. The IdenTrust Commercial Root CA 1 was included in the Cisco Core Trusted Root Bundle as of the November 2020 update.
Q: Is Cisco moving away from HydrantID as the supplier of TLS Certificates?
No. HydrantID will continue to provide TLS certificates for Cisco. Due to the recent acquisition of HydrantID by IdentTrust/HID, they are now able to offer Cisco more robust Root CA options for public trust.
Q: I have a question not addressed here. Where do I go for an answer?
For additional information, please contact your contracted support organization. If your organization receives support directly from Cisco, please see Cisco Worldwide Support Contacts.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.