ACTION NEEDED: Root Certificate Changed for Cisco Smart Licensing

MARTIN STREULE · ‎02-10-2022

Hi,

If you run into issues with Smart Licensing lately (January 19th or so) you probably missed that Cisco now uses another Root Certificate for Smart Licensing.

"Due to a change in the root certificate, starting 5. February 2022 affected platforms will be unable to register or communicate with the Smart License Manager (SLM) server hosted by tools.cisco.com. Smart licenses might fail entitlement and reflect an Out of Compliance status."

You have to install the root certificate to bring it back to work correctly.

Here a bunch of Field Notices regarding this issue.

Field Notice: FN - 72318 - Cisco Unified Communications Manager / Session Management Edition -https://www.cisco.com/c/en/us/support/docs/field-notices/723/fn72318.html
Field Notice: FN - 72291 - Cisco Unity Connection -https://www.cisco.com/c/en/us/support/docs/field-notices/722/fn72291.html
Field Notice: FN - 72121 - Prime License Manager -https://www.cisco.com/c/en/us/support/docs/field-notices/721/fn72121.html
Field Notice: FN - 72289 - Cisco Emergency Responder -https://www.cisco.com/c/en/us/support/docs/field-notices/722/fn72289.html
Field Notice: FN - 70557 - Unified Contact Center Express -https://www.cisco.com/c/en/us/support/docs/field-notices/705/fn70557.html
...and many more

Beginning 2022-02-05, the IdenTrust Commercial Root CA 1 will be used to issue SSL certificates previously issued by the QuoVadis Root CA 2.

You find the certificate and the download links here:
https://www.identrust.com/identrust-commercial-root-ca-1

Aaron D · ‎02-10-2022

Martin, thanks for the post.

For the powers that be at Cisco: It's pretty bizarre (more like ugly) that TAC was surprised and unaware until today according to them. As customers this doesn't leave us feeling warm and fuzzy, especially given that it affects our operations. If Cisco TAC missed it, how many customers did? And this concurs with the fact this bug - Bug ID: Bug Search Tool (cisco.com) CSCwa91870 <---Opened today.

Smart licensing has been quite the debacle. Now we have 100's of alerts coming in from routers due to the fact they no longer can authorize. This is one of the reasons customers are very unhappy with how Cisco has handled this 'feature'. And while we're aware of SLUP in 17.x, we are on 16.x which doesn't support it. There seems to be a real lack of awareness on Cisco's end in communicating and implementing these features. Now instead of a planned proactive migration we are being put in reactive mode.

Solved: Re: Smart Licensing failing - Cisco Community

Leo Laohoo · ‎02-10-2022

@Aaron D wrote:

CSCwa91870 <---Opened today.

Wow. Is this all the detail(s) &/or information(s) found in the Bug ID? Kind of defeats the purpose of making this "public", eh?

If this is the ONLY details this Bug ID has to offer, it would be nice if Cisco make this "private" or "internal only".

Leo Laohoo · ‎02-10-2022

Speaking of Smart Licensing, please be aware of the following: CSCvr22962, CSCvz74203 and CSCvq28756

NOTE: Anyone who has hit this thread and suspect that their appliances are affected by this Bug IDs/FN but running "fixed" versions need to raise a TAC Case. Like the Bug IDs, the Field Notices may contain 50% accurate information.

ibaenadi · ‎02-03-2023

You can download the identrust certificate on this link:

https://www.identrust.com/support/downloads