Problem Description
For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot be renewed from this CA. Once those certificates expire, functions such as Smart Licensing communication will fail to establish secure connections to Cisco and might not operate properly.
Background
The QuoVadis Public Key Infrastructure (PKI) Root CA 2 used by the ESA to issue SSL certificates is subject to an industry-wide issue that affects revocation abilities. Due to this issue, the QuoVadis Root CA 2 will be decommissioned on 2021-03-31. No new certificates will be issued for Cisco by the QuoVadis Root CA 2 after 2021-03-31.
Certificates issued before the QuoVadis Root CA 2 is decommissioned will continue to be valid until they reach their expiration date. Once those certificates expire, they will not renew and this might cause functions such as Smart Licensing to fail to establish secure connections.
Beginning 2021-04-01, the IdenTrust Commercial Root CA 1 will be used to issue SSL certificates previously issued by the QuoVadis Root CA 2.
Field Notices
Recommended Actions
- For ESA (on-prem) – Upgrade to 11.0.4-004, or 12.5.3-035, or 13.0.3-021, or 13.5.3-010 or newer
- For SMA (on-prem) – Upgrade to 12.8.1-002 or newer