cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2942
Views
0
Helpful
4
Replies
niko
Beginner

Firepower 2100-series FXOS certificate regeneration

Hi,

I'm getting an error about expired certificate from FXOS:

#show fault

Major F0853 2018-06-02T13:06:08.798 126445 default Keyring's certificate is invalid, reason: expired.

 

If checking further:

#scope security

#show keyring default

...

Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=Test, CN=localhost
Validity
Not Before: Jun 2 12:59:10 2017 GMT
Not After : Jun 2 12:59:10 2018 GMT
Subject: C=US, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=Test, CN=localhost

...

 

So, yep, it is expired. 

Classic FXOS way to extend the validity (https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos221/cli-guide/b_CLI_ConfigGuide_FXOS_221/platform_settings.html#concept_emd_w3t_cy) does not help:

Firepower-chassis# scope security
Firepower-chassis /security # scope keyring default
Firepower-chassis /security/keyring* # set regenerate yes
Firepower-chassis /security/keyring* # commit-buffer

 

This is rejected on FP2100 series due to:
FTD* # commit-buffer
Error: Changes not allowed. use: 'connect ftd' to make changes.

 

Version FMC/FTD 6.2.3.1 & FXOS 2.3(1.84) - but is all bundled, so I don't have any options anyway.

 

At the moment cannot seem to find procedure for 2100-series where everything is bundled together and separate changes to FXOS are not done. How to regenerate certificate for this platform?

4 REPLIES 4
Warbs
Beginner

Hi - we have the same issue with no fix at moment on 6.2.3.2 - has been escalated within Cisco.

I have the same error. I tried to regenerate the certficate but the error is the same.  

alfred.thyri
Beginner
patoberli
VIP Advisor

Just executed your commands on my Firepower 2110 running latest ASA 9.12.3 code and it worked:

firepower-2110# scope security
firepower-2110 /security # scope keyring default
firepower-2110 /security/keyring # set regenerate yes
firepower-2110 /security/keyring* # commit-buffer
firepower-2110 /security/keyring # top

firepower-2110# show fault
Severity Code Last Transition Time ID Description
--------- -------- ------------------------ -------- -----------
Cleared F0853 2019-12-16T09:59:13.246 583116 default Keyring's certificate is invalid, reason: expired.
firepower-2110# show vers
Boot Loader version: 1.0.09
System version: 2.6(1.156)
Service Manager version: 2.6(1.156)
fpga version: 2.0.00
fpga golden version: 2.0.00
power sequencer version: 2.13
lanspi version: unknown