cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

Cisco WAAS: Error certificate expired Error system is degraded

1449
Views
0
Helpful
0
Comments

 

 

Introduction

Cisco Wide Area Application Services (WAAS) is a comprehensive WAN optimization and application acceleration solution. Cisco WAAS SSL acceleration is supported on all Cisco Wide Area Application Engine (WAE) and Wide Area Virtualization Engine (WAVE) platforms running Cisco WAAS Software Version 4.1.3 or later. An Enterprise license is also required to enable the Cisco WAAS SSL Application Optimizer services.

 

WAAS Certificates

To generate a self-signed certificate and private key, follow these steps:

1) Check the Mark private key as exportable check box to export this certificate/key in the WAAS Central Manager and device CLI later.

2) Fill in the certificate and private key fields.

 

To import an existing certificate or certificate chain and, optionally private key, follow these steps:

1) Check the Mark private key as exportable check box to export this certificate/key in the WAAS Central Manager and device CLI later.

2) To import existing certificate or certificate chain and private key, perform one of the following:
•Upload certificate and key in PKCS#12 format (also as Microsoft PFX format)
•Upload certificate and private key in PEM format.
•Paste certificate and private key PEM content.

 

To export a configured certificate and private key, follow these steps:

1) Enter the encryption pass-phrase.

2) Export current certificate and private key in either PKCS#12 or PEM formats. In case of PEM format both certificate and private key are included in single PEM file.

 

Problem

User is getting error machine cert in the file __waas-self__.p12 is near expiration / is expired.

 

WAE01#show alarms

 

Critical Alarms:

----------------

None

 

Major Alarms:

-------------

     Alarm ID             Module/Submodule     Instance

     -------------------- -------------------- --------------------

   1 cert_expired         sslao/SGS/gsetting   cert_expired

 

Minor Alarms:

-------------

None

 

Description

Enter the following command to see more details

 

WAE01#show alarms detail

 

Critical Alarms:

----------------

None

 

Major Alarms:

-------------

     Alarm ID             Module/Submodule     Instance

     -------------------- -------------------- --------------------

   1 cert_expired         sslao/SGS/gsetting   cert_expired

     July  25 11:31:55.304 PDT, Processing Error Alarm, #000140, 26000:26006

Certificate '__waas-self__.p12' is expired. It is configured as machine cert in global settings

 

 

Minor Alarms:

-------------

None

 

Check the certificates on waas device

 

WAE01#show crypto certificates

 

Certificate Only Store:

-----------------------

<EMPTY>

 

Managed Store:

--------------

<EMPTY>

 

Local Store:

------------

Machine Self signed Certificate

-------------------------------

Format: PKCS12

Subject: C=US/ST=California/L=San Jose/OU=CNBU/O=Cisco Systems, Inc/CN=KM-UKM-

WAE-01.**.*****.****.***/emailAddress=tac@cisco.com<mailto:WAE-****.**.****.****

/emailAddress=tac@cisco.com >

Issuer: C=US/ST=California/L=San Jose/OU=CNBU/O=Cisco Systems, Inc/CN=KM-UKM-W

AE-01.**.*****.****.***/emailAddress=tac@cisco.com<mailto:AE-0G01.**.*****.****.***

/emailAddress=tac@cisco.com >

 

Management Service Certificate

------------------------------

Format: PKCS12

EEC:Subject: C=US/ST=California/L=San Jose/OU=CNBU/O=Cisco Systems, Inc/CN=KM-UK

M-WAE-01.**.*****.****.***/emailAddress=tac@cisco.com<mailto:CAM-WAE-***.**.***

.****/emailAddress=tac@cisco.com >

    Issuer: C=US/ST=California/L=San Jose/OU=CNBU/O=Cisco Systems, Inc/CN=KM-UK

M-WAE-01.**.*****.****.***/emailAddress=tac@cisco.com<mailto:AM-WAE-****.**.

****/emailAddress=tac@cisco.com >

 

Resolution

a) To recreate the certificate and associate it to the WAAS device enter following commands:

 

WAE01(config)#crypto generate  self-signed-cert waas-self.p12 rsa modulus 1024

WAE01(config)#crypto ssl  services global-settings machine-cert-key waas-self.p12

 

b) On older software version you may be hitting bug CSCte05426.

 

c) If the certificates are no longer in use then delete the certificates.

 

d) Ocassionally you may get a third party vendor (e.g Verisign)certificate expiry notifications. To remedy this contact the vendor for the valid version. Meaning that, Cisco cannot provide with the fresh certificate as it does not belong to Cisco.

 

References

Cisco Wide Area Application Services SSL Application Optimizer Deployment Guide

Cisco WAAS Troubleshooting Guide for Release 4.1.3 and Later -- Troubleshooting the SSL AO

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here