cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2261
Views
0
Helpful
0
Comments
dmccabej
Cisco Employee
Cisco Employee

Problem Description

For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot be renewed from this CA. Once those certificates expire, functions such as Smart Licensing communication will fail to establish secure connections to Cisco and might not operate properly.

 

Background

The QuoVadis Public Key Infrastructure (PKI) Root CA 2 used by the ESA to issue SSL certificates is subject to an industry-wide issue that affects revocation abilities. Due to this issue, the QuoVadis Root CA 2 will be decommissioned on 2021-03-31. No new certificates will be issued for Cisco by the QuoVadis Root CA 2 after 2021-03-31.

 

Certificates issued before the QuoVadis Root CA 2 is decommissioned will continue to be valid until they reach their expiration date. Once those certificates expire, they will not renew and this might cause functions such as Smart Licensing to fail to establish secure connections.

 

Beginning 2021-04-01, the IdenTrust Commercial Root CA 1 will be used to issue SSL certificates previously issued by the QuoVadis Root CA 2.

 

Field Notices

 

Recommended Actions

  • For ESA (on-prem) – Upgrade to 11.0.4-004, or 12.5.3-035, or 13.0.3-021, or 13.5.3-010 or newer
  • For SMA (on-prem)  – Upgrade to 12.8.1-002 or newer
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: