Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
899
Views
0
Helpful
1
Replies

FPR1010 FDM Certificates Expired change in behavior for upgrades

Michael King
Level 1
Level 1

‎10-24-2024 02:00 PM - edited ‎10-24-2024 02:01 PM

Due to the Semiannual Security Advisory released yesterday we are testing upgrading to 7.4.2.1 from 7.4.2.

We've run into a problem that the upgrade is throwing errors that expired certificates "exist"

MichaelKing_0-1729800545812.png

The DefaultWebserverCertificate was replaced by a new one when we upgraded to 7.4.2.  On one of our test boxes, the DefaultInternalCertificate was still valid, so we experimented by deleting the DefaultWebserverCertificate, and the upgrade was allowed to continue.  So even though DefaultWebserverCertificate is not in use, it's blocking the upgrade.

So I have two questions.

1. For a FDM managed FPR-1010, is it safe to just delete the DefaultInternalCertificate?  (The only reference I can find is it's used for FMC communication).

2. Is there a plan to document this anywhere?  Field Notice, a note on the https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215850-certificate-installation-and-renewal-on.html page, Release notes, something?  

0 Helpful
1 Reply 1

Aref Alsouqi
VIP
VIP

‎11-01-2024 05:32 AM

That behaviour you are seeing is very similar to ISE upgrade. If you have an expired certificate and even if that certificate is not used ISE upgrade will fail and as a pre-req we have to go and delete all the expired certificates before going ahead with the upgrade. So, it is safe to remove any unused expired certificate, actually it is a best practice to not have any expired certificate on any production appliances.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card