https://community.cisco.com/t5/wireless/ap-3702-certificate-expiration-date/m-p/4965378#M263380 <P>Hi all,</P><P>How can I find out the certificate expiration date of an AP 3702? I have seen the 'show crypto pki certificates' command in various forums but in the case of my AP it does not recognize that command.</P><P>Thank you very much</P> Fri, 24 Nov 2023 06:08:17 GMT Aleck_Sei 2023-11-24T06:08:17Z https://community.cisco.com/t5/wireless/ap-3702-certificate-expiration-date/m-p/4965378#M263380 <P>Hi all,</P><P>How can I find out the certificate expiration date of an AP 3702? I have seen the 'show crypto pki certificates' command in various forums but in the case of my AP it does not recognize that command.</P><P>Thank you very much</P> Fri, 24 Nov 2023 06:08:17 GMT https://community.cisco.com/t5/wireless/ap-3702-certificate-expiration-date/m-p/4965378#M263380 Aleck_Sei 2023-11-24T06:08:17Z https://community.cisco.com/t5/wireless/ap-3702-certificate-expiration-date/m-p/4965399#M263382 <P>Cisco used to provide a tool to check the certificate (<A href="https://community.cisco.com/t5/wireless-mobility-knowledge-base/access-point-certificate-check-tool-apcertcheck/ta-p/3155582)" target="_blank">https://community.cisco.com/t5/wireless-mobility-knowledge-base/access-point-certificate-check-tool-apcertcheck/ta-p/3155582)</A>&nbsp;but this is now integrated on WLAN poller tool (<A href="https://developer.cisco.com/docs/wireless-troubleshooting-tools/#!wireless-troubleshooting-tools/wireless-troubleshooting-tools" target="_blank">https://developer.cisco.com/docs/wireless-troubleshooting-tools/#!wireless-troubleshooting-tools/wireless-troubleshooting-tools</A>)</P> Fri, 24 Nov 2023 07:00:42 GMT https://community.cisco.com/t5/wireless/ap-3702-certificate-expiration-date/m-p/4965399#M263382 JPavonM 2023-11-24T07:00:42Z https://community.cisco.com/t5/wireless/ap-3702-certificate-expiration-date/m-p/4965753#M263410 <P>Why waste time faffing around trying to check certificate dates?</P> <P>Just upgrade the software and use the workaround process provided in the field notice below (FN-63942) and then you don't have to worry about whether the certificates are expired or not.</P> <P>"sh crypto pki certificates" works fine on my 3702:<BR /><FONT face="courier new,courier">3702#sh crypto pki certificates</FONT><BR /><FONT face="courier new,courier">CA Certificate</FONT><BR /><FONT face="courier new,courier">Status: Available</FONT><BR /><FONT face="courier new,courier">Certificate Serial Number (hex): 01</FONT><BR /><FONT face="courier new,courier">Certificate Usage: Signature</FONT><BR /><FONT face="courier new,courier">Issuer:</FONT><BR /><FONT face="courier new,courier">cn=Cisco Root CA M2</FONT><BR /><FONT face="courier new,courier">o=Cisco</FONT><BR /><FONT face="courier new,courier">Subject:</FONT><BR /><FONT face="courier new,courier">cn=Cisco Root CA M2</FONT><BR /><FONT face="courier new,courier">o=Cisco</FONT><BR /><FONT face="courier new,courier">Validity Date:</FONT><BR /><FONT face="courier new,courier">start date: 13:00:18 UTC Nov 12 2012</FONT><BR /><FONT face="courier new,courier">end date: 13:00:18 UTC Nov 12 2037</FONT><BR /><FONT face="courier new,courier">Associated Trustpoints: Trustpool cisco-m2-root-cert</FONT><BR /><FONT face="courier new,courier">Storage:</FONT><BR /><BR /></P> Fri, 24 Nov 2023 17:01:29 GMT https://community.cisco.com/t5/wireless/ap-3702-certificate-expiration-date/m-p/4965753#M263410 Rich R 2023-11-24T17:01:29Z https://community.cisco.com/t5/wireless/ap-3702-certificate-expiration-date/m-p/5056501#M269768 <P>I have more and more old C3702i that stops working because of expired certifikates.&nbsp;</P><P>So I installed a virtual WLC9800 where I adjusted the date to some time in the past.</P><P>In there I have contact with the AP's.</P><P>But even when I upgrade the software to the newest version, it will not update the expiry date on the certificates</P><P>The software I have tried for the AP's are&nbsp;Release 15.3.3-JPQ2, which is dated March 23, 2024</P><P>What can I do?</P><P>EDIT:<BR />I don't get it. If I go to the virtual WLC, and to Edit AP -&gt; Inventory, it says:</P><DIV class=""><SPAN class="">Certificate Expiry-time:&nbsp;</SPAN><SPAN class="">03/13/2024 02:59:35</SPAN></DIV><DIV class="">&nbsp;</DIV><DIV class=""><SPAN class="">But when I SSH into the AP, and writes&nbsp;show crypto pki certificates, it shows several certificates, whom many of them has expiry date long into the future.</SPAN></DIV><DIV class=""><SPAN class="">This one for example:</SPAN></DIV><DIV class=""><SPAN class="">CA Certificate<BR />Status: Available<BR />Certificate Serial Number (hex): 01<BR />Certificate Usage: Signature<BR />Issuer:<BR />cn=Cisco Root CA M2<BR />o=Cisco<BR />Subject:<BR />cn=Cisco Root CA M2<BR />o=Cisco<BR />Validity Date:<BR />start date: 13:00:18 UTC Nov 12 2012<BR />end date: 13:00:18 UTC Nov 12 2037<BR />Associated Trustpoints: Trustpool cisco-m2-root-cert<BR />Storage: </SPAN></DIV><P>But clearly it's the one showed under Edit AP -&gt; Inventory that is getting used, since the AP will not associate with our production WLC<BR /><BR /></P> Thu, 04 Apr 2024 14:40:32 GMT https://community.cisco.com/t5/wireless/ap-3702-certificate-expiration-date/m-p/5056501#M269768 dal 2024-04-04T14:40:32Z https://community.cisco.com/t5/wireless/ap-3702-certificate-expiration-date/m-p/5056509#M269770 <P>The one that matters is the MIC - Manufacturing Installed Certificate.&nbsp; It's installed in the AP in the factory and normally expires after 10 years.&nbsp; It <STRONG>cannot</STRONG> be updated or replaced.</P> <P>The only workaround is to force the WLC to ignore the expiry date of the AP MIC certificate using the config workaround provided in&nbsp;<A href="https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html </A><BR />You would need to do that on <STRONG>both</STRONG> the main 9800 and your virtual WLC so that the AP picks up and keeps the updated config on both.&nbsp; Upgrading the software will not make any difference to the MIC on the AP.<BR />Have you done that?</P> Thu, 04 Apr 2024 14:50:43 GMT https://community.cisco.com/t5/wireless/ap-3702-certificate-expiration-date/m-p/5056509#M269770 Rich R 2024-04-04T14:50:43Z https://community.cisco.com/t5/wireless/ap-3702-certificate-expiration-date/m-p/5056521#M269771 <P>Thanks, I have entered the commands:<BR /><BR /></P><PRE>configure terminal crypto pki certificate map map1 1 &nbsp;issuer-name co cisco manufacturing ca crypto pki certificate map map1 2 &nbsp;issuer-name co act2 sudi ca crypto pki trustpool policy &nbsp;match certificate map1 allow expired-certificate exit</PRE><P>Create a Certificate Map and Add the Rules</P><PRE>configure terminal<BR /> crypto pki certificate map map1 1 issuer-name co Cisco Manufacturing CA</PRE><P>Use the Certificate Map Under the Trustpool Policy</P><PRE>configure terminal crypto pki trustpool policy match certificate map1 allow expired-certificate</PRE><P>&nbsp;Guess we will have to wait and see the outcome.</P><P>Thanks again</P> Thu, 04 Apr 2024 15:19:47 GMT https://community.cisco.com/t5/wireless/ap-3702-certificate-expiration-date/m-p/5056521#M269771 dal 2024-04-04T15:19:47Z https://community.cisco.com/t5/wireless/ap-3702-certificate-expiration-date/m-p/5160493#M274528 <P>Hello everyone , So&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/290228">@dal</a>&nbsp;did this actually works? I 'm facing the same issue.</P> Tue, 13 Aug 2024 19:26:13 GMT https://community.cisco.com/t5/wireless/ap-3702-certificate-expiration-date/m-p/5160493#M274528 KarmaChris 2024-08-13T19:26:13Z