topic Firepower 2100-series FXOS certificate regeneration in Network Security

Firepower 2100-series FXOS certificate regeneration

niko — Fri, 21 Feb 2020 15:51:39 GMT

Hi,

I'm getting an error about expired certificate from FXOS:

#show fault

Major F0853 2018-06-02T13:06:08.798 126445 default Keyring's certificate is invalid, reason: expired.

If checking further:

#scope security

#show keyring default

...

Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=Test, CN=localhost
Validity
Not Before: Jun 2 12:59:10 2017 GMT
Not After : Jun 2 12:59:10 2018 GMT
Subject: C=US, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=Test, CN=localhost

...

So, yep, it is expired.

Classic FXOS way to extend the validity (https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos221/cli-guide/b_CLI_ConfigGuide_FXOS_221/platform_settings.html#concept_emd_w3t_cy) does not help:

Firepower-chassis# scope security
Firepower-chassis /security # scope keyring default
Firepower-chassis /security/keyring* # set regenerate yes
Firepower-chassis /security/keyring* # commit-buffer

This is rejected on FP2100 series due to:
FTD* # commit-buffer
Error: Changes not allowed. use: 'connect ftd' to make changes.

Version FMC/FTD 6.2.3.1 & FXOS 2.3(1.84) - but is all bundled, so I don't have any options anyway.

At the moment cannot seem to find procedure for 2100-series where everything is bundled together and separate changes to FXOS are not done. How to regenerate certificate for this platform?

Re: Firepower 2100-series FXOS certificate regeneration

Warbs — Tue, 03 Jul 2018 14:32:18 GMT

Hi - we have the same issue with no fix at moment on 6.2.3.2 - has been escalated within Cisco.

Re: Firepower 2100-series FXOS certificate regeneration

paulo viteri — Thu, 05 Jul 2018 20:24:58 GMT

I have the same error. I tried to regenerate the certficate but the error is the same.

Re: Firepower 2100-series FXOS certificate regeneration

alfred.thyri — Tue, 27 Aug 2019 09:00:56 GMT

see bug note

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvk26612/?rfs=iqvred

Re: Firepower 2100-series FXOS certificate regeneration

patoberli — Mon, 16 Dec 2019 09:01:40 GMT

Just executed your commands on my Firepower 2110 running latest ASA 9.12.3 code and it worked:

firepower-2110# scope security
firepower-2110 /security # scope keyring default
firepower-2110 /security/keyring # set regenerate yes
firepower-2110 /security/keyring* # commit-buffer
firepower-2110 /security/keyring # top

firepower-2110# show fault
Severity Code Last Transition Time ID Description
--------- -------- ------------------------ -------- -----------
Cleared F0853 2019-12-16T09:59:13.246 583116 default Keyring's certificate is invalid, reason: expired.
firepower-2110# show vers
Boot Loader version: 1.0.09
System version: 2.6(1.156)
Service Manager version: 2.6(1.156)
fpga version: 2.0.00
fpga golden version: 2.0.00
power sequencer version: 2.13
lanspi version: unknown

Re: Firepower 2100-series FXOS certificate regeneration

hoylea — Wed, 14 Feb 2024 20:27:05 GMT

for newer versions, see https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe60267 .

you have to do all three steps. "sysopt sam 1001 on" override is done in FXOS mode. Commit will give an error unless you first exit a couple times to the top menu (still in fxos)