Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5129
Views
0
Helpful
5
Replies

Firepower 2100-series FXOS certificate regeneration

niko
Level 1
Level 1

‎06-08-2018 06:00 AM - edited ‎02-21-2020 07:51 AM

Hi,

I'm getting an error about expired certificate from FXOS:

#show fault

Major F0853 2018-06-02T13:06:08.798 126445 default Keyring's certificate is invalid, reason: expired.

 

If checking further:

#scope security

#show keyring default

...

Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=Test, CN=localhost
Validity
Not Before: Jun 2 12:59:10 2017 GMT
Not After : Jun 2 12:59:10 2018 GMT
Subject: C=US, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=Test, CN=localhost

...

 

So, yep, it is expired. 

Classic FXOS way to extend the validity (https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos221/cli-guide/b_CLI_ConfigGuide_FXOS_221/platform_settings.html#concept_emd_w3t_cy) does not help:

Firepower-chassis# scope security
Firepower-chassis /security # scope keyring default
Firepower-chassis /security/keyring* # set regenerate yes
Firepower-chassis /security/keyring* # commit-buffer

 

This is rejected on FP2100 series due to:
FTD* # commit-buffer
Error: Changes not allowed. use: 'connect ftd' to make changes.

 

Version FMC/FTD 6.2.3.1 & FXOS 2.3(1.84) - but is all bundled, so I don't have any options anyway.

 

At the moment cannot seem to find procedure for 2100-series where everything is bundled together and separate changes to FXOS are not done. How to regenerate certificate for this platform?

5 people had this problem
Labels:
0 Helpful
5 Replies 5

Warbs
Level 1
Level 1

‎07-03-2018 07:32 AM

Hi - we have the same issue with no fix at moment on 6.2.3.2 - has been escalated within Cisco.

0 Helpful

paulo viteri
Level 1
Level 1
In response to Warbs

‎07-05-2018 01:02 PM - edited ‎07-05-2018 01:24 PM

I have the same error. I tried to regenerate the certficate but the error is the same.  

0 Helpful

patoberli
VIP Alumni
VIP Alumni

‎12-16-2019 01:01 AM

Just executed your commands on my Firepower 2110 running latest ASA 9.12.3 code and it worked:

firepower-2110# scope security
firepower-2110 /security # scope keyring default
firepower-2110 /security/keyring # set regenerate yes
firepower-2110 /security/keyring* # commit-buffer
firepower-2110 /security/keyring # top

firepower-2110# show fault
Severity Code Last Transition Time ID Description
--------- -------- ------------------------ -------- -----------
Cleared F0853 2019-12-16T09:59:13.246 583116 default Keyring's certificate is invalid, reason: expired.
firepower-2110# show vers
Boot Loader version: 1.0.09
System version: 2.6(1.156)
Service Manager version: 2.6(1.156)
fpga version: 2.0.00
fpga golden version: 2.0.00
power sequencer version: 2.13
lanspi version: unknown
0 Helpful

hoyleanderson
Level 1
Level 1

‎02-14-2024 12:27 PM

for newer versions, see https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe60267  .

you have to do all three steps.  "sysopt sam 1001 on" override is done in FXOS mode.  Commit will give an error unless you first exit a couple times to the top menu (still in fxos)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card