06-08-2018 06:00 AM - edited 02-21-2020 07:51 AM
Hi,
I'm getting an error about expired certificate from FXOS:
#show fault
Major F0853 2018-06-02T13:06:08.798 126445 default Keyring's certificate is invalid, reason: expired.
If checking further:
#scope security
#show keyring default
...
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=Test, CN=localhost
Validity
Not Before: Jun 2 12:59:10 2017 GMT
Not After : Jun 2 12:59:10 2018 GMT
Subject: C=US, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=Test, CN=localhost
...
So, yep, it is expired.
Classic FXOS way to extend the validity (https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos221/cli-guide/b_CLI_ConfigGuide_FXOS_221/platform_settings.html#concept_emd_w3t_cy) does not help:
Firepower-chassis# scope security
Firepower-chassis /security # scope keyring default
Firepower-chassis /security/keyring* # set regenerate yes
Firepower-chassis /security/keyring* # commit-buffer
This is rejected on FP2100 series due to:
FTD* # commit-buffer
Error: Changes not allowed. use: 'connect ftd' to make changes.
Version FMC/FTD 6.2.3.1 & FXOS 2.3(1.84) - but is all bundled, so I don't have any options anyway.
At the moment cannot seem to find procedure for 2100-series where everything is bundled together and separate changes to FXOS are not done. How to regenerate certificate for this platform?