Solved: WAAS 4.2.3 Cert near expiration warning.

jkeeffe · ‎12-01-2010

I have 6 WAAS NME modules, all running 4.2.3, and all giving this Major warning:

"Certificate waas-self .p12 is near expiration. It is configured as a machine cert in global settings."

How does one go about fixing this warning and getting a new cert?

sdwilliams · ‎12-02-2010

I had this problem yesterday and opened a TAC case. The fix is easy and detailed below.

The WAE device has a factory self signed cert which is installed when the device is manufactured (this is 5 years expiry by default). This default factory self signed cert cannot by regenerated unless we factory default the appliance and re-register it to Central Manager. However, to avoid outages this can be addressed by generating a new self signed certificate and then associating it to the ssl services global-settings. To accomplish this, please use the following sequence of commands:

#crypto generate self-signed-cert waas-self.p12 rsa modulus 1024

(config)crypto ssl services global-settings machine-cert-key waas-self.p12

Moreover, this has been documented on CSCte05426. http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte05426

View solution in original post

Marcin Latosiewicz · ‎12-01-2010

First of all check existing cert "show crypto certificates" or "show crypto certificate-detail NAME_OF_CERT"

Since your certs are self signed I guess you an try to generate new ones.

"WAAS#crypto generate self-signed-cert NAME_HERE.p12"

Question is - are the current self signed certificates used anywhere? (SSL AO, secure store, etc etc ...?)

Marcin

jkeeffe · ‎12-02-2010

I have neither SSL AO nor disk encryption enabled. I did as you suggested and generated a new cert named BEL.p12. I'll wait awhile and see if the error message clears out.

Do I need to remove the old factory-generated cert named _waas-self_.p12? If so, how do I delete it? I checked all the directorys on the WAE and can't seem to find a file with that name.

Marcin Latosiewicz · ‎12-02-2010

You can delete cert very easily ;-)

#crypto delete pkcs12 ?
  WORD  PKCS12 certificate and key filename

For names -

#show crypto certificates

In your case it's _waas-self_.p12

HTH,

Marcin

jkeeffe · ‎12-02-2010

Deleting the cert doesn't work:

BEL-NME-WAE-Edge#crypto delete pkcs12 _waas-self_.p12
Error: File does not exist
BEL-NME-WAE-Edge#

There doesn't seem to be a cert with that name. The only cert that shows up is the new one I just created called BEL.p12. I looked at the 'alerts' area on the WAAS manager GUI and there is a little more to the error alert:

Certigficate _waas-self_.-12 is near expiration. It is configured as a machine cert in global settings.

I don't know what global settings this is talking about, but here is the output of 'sh crypto certificates':

BEL-NME-WAE-Edge#sh crypt certificates

Certificate Only Store:
-----------------------

Managed Store:
--------------
File: BEL.p12 Format: PKCS12
EEC: Subject: C=US/ST=Washington/L=Seattle/O=Group Health/OU=IS/CN=www.ghc.org/emailAddress=tac@cisco.com
Issuer: C=US/ST=Washington/L=Seattle/O=Group Health/OU=IS/CN=www.ghc.org/emailAddress=tac@cisco.com
--------------------------------------------------------------------------------

Local Store:
------------
Machine Self signed Certificate
-------------------------------
Format: PKCS12
Subject: C=US/ST=California/L=San Jose/OU=ADBU/O=Cisco Systems/CN=NO-HOSTNAME/emailAddress=tac@cisco.com
Issuer: C=US/ST=California/L=San Jose/OU=ADBU/O=Cisco Systems/CN=NO-HOSTNAME/emailAddress=tac@cisco.com

Management Service Certificate
------------------------------
Format: PKCS12
EEC:Subject: C=US/ST=California/L=San Jose/OU=ADBU/O=Cisco Systems/CN=NO-HOSTNAME/emailAddress=tac@cisco.com
Issuer: C=US/ST=California/L=San Jose/OU=ADBU/O=Cisco Systems/CN=NO-HOSTNAME/emailAddress=tac@cisco.com
The WAAS Self Signed Certificate is being used as the Management Service Certificate
BEL-NME-WAE-Edge#

Any other ideas?

fjp_2 · ‎12-01-2010

Hi

I have recently upgraded all my WAAS devices to ver. 4.2.3b, and today (about 2 weeks after the upgrade) I get the same message for 12 devices (about 25% of our accelerators).

It must be some kind of bug in this version.

But the question is: will it affect the acceleration/functionality of these devices if i do nothing?

fjp_2 · ‎12-01-2010

Just to be more precise I will just add an example of the messages in the log for the devices:

Wed Dec 1 11:26:38 UTC 2010 WAE xxxWAAS01 Server warning Critical message on the node %WAAS-SSLAO-1-133013: (667443) SSL AO: machine cert in the file __waas-self__.p12 is near expiration.

It seems that is has something to do with the SSL Application Optimizer/Accelerator.

So far I do not use it, but probably will in the future...

Best regards,

Flemming

Marcin Latosiewicz · ‎12-02-2010

Guys can you please check if you have any ssl accelarated services?

To use SSL AO you'd need a certificate (and key) from service you're trying to accelarate and not waas self signed one.

fjp_2 · ‎12-02-2010

I do not use the SSL accelerator yet.

But as the message also shows up in our network monitoring (a lot of them) I would like to get some ideas how to avoid or suppress it...

Maybe I should shutdown the SSL AO until we start using it actively?

Best regards,

Flemming

Marcin Latosiewicz · ‎12-02-2010

Flemming,

Check if secure store has been initialized before.

If it's all down, just remove the old cert and generate a new one.

There is a possibility cert is generated on upgrade - I would not really call it a bug. Maybe cert was created when you installed waas and has been happily sitting there?

Marcin

sdwilliams · ‎12-02-2010

I had this problem yesterday and opened a TAC case. The fix is easy and detailed below.

The WAE device has a factory self signed cert which is installed when the device is manufactured (this is 5 years expiry by default). This default factory self signed cert cannot by regenerated unless we factory default the appliance and re-register it to Central Manager. However, to avoid outages this can be addressed by generating a new self signed certificate and then associating it to the ssl services global-settings. To accomplish this, please use the following sequence of commands:

#crypto generate self-signed-cert waas-self.p12 rsa modulus 1024

(config)crypto ssl services global-settings machine-cert-key waas-self.p12

Moreover, this has been documented on CSCte05426. http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte05426

Bhavin Yadav · ‎12-08-2010

As qan FYI, Cisco has posted a defect for this issue:

Defect id: CSCte05426. More details are here:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&method=fetchBugDetails&bugId=CSCte05426

Enjoy.

Regards.