• Update - Service Decommissioning
• Overview of Cisco IOS Content Filtering
• Problem
• Resolution
• Verification
• Certificate Installation Verification
• Trend Micro Communication Verification

Update - Service Decommissioning

Please Note - the Cisco IOS Content Filtering service has been decommissioned as of January 1st, 2014.  Please see the End of Life notice posted here for more information:

http://www.cisco.com/c/en/us/products/collateral/security/ios-content-filtering/eol_c51-709131.html

Overview of Cisco IOS Content Filtering

The  Subscription-based Cisco IOS Content Filtering feature interacts with  the Trend Micro URL filtering service so that HTTP requests can be  allowed or blocked, and logged, based on a content filtering policy. The  content filtering policy specifies how to handle items such as web  categories, reputations (or security ratings), trusted domains,  untrusted domains, and keywords. URLs are cached on the router, so that  subsequent requests for the same URL do not require a lookup request,  thus improving performance.

For more information about the Cisco IOS Content Filtering solution, please see the IOS Content Filtering document (DOC-8028)

Problem

On September 4, 2013 the Identity certificate was changed on the Trend Micro server that the Cisco IOS device talks to.  Since the new identity certificate is signed by a different Certificate Authority (CA), all users of the Cisco IOS Content Filtering feature must replace the CA certificate installed on the Cisco IOS device with the new CA certificate listed below, for the content filtering feature to continue working after Septemeber 4, 2013.

Resolution

Affected users (which is all users who are using the Cisco IOS Content Filtering Feature), must log into their Cisco IOS device and update the CA Certificate for the Trend Micro server.  In the below example, the trustpoint name is trendmicro, however it may be different on your specific device.  You may however just copy and paste in the commands below (in configuration mode) to install the new CA certificate.

Step 1 - Remove Existing (old) CA Certificate

Issue the command no crypto pki trustpoint trendmicro (where trendmicro is the current name of your trustpoint).  You will be prompted to ensure you want to delete the existing trustpoint, choose Yes.

router(config)#no crypto pki trustpoint trendmicro

% Removing an enrolled trustpoint will destroy all certificates

received from the related Certificate Authority.

Are you sure you want to do this? [yes/no]: yes

% Be sure to ask the CA administrator to revoke your certificates.

Step 2 - Installing new CA certificate

crypto pki trustpoint trendmicro

revocation-check none

enrollment terminal

crypto pki authenticate trendmicro

-----BEGIN CERTIFICATE-----
MIIEATCCAumgAwIBAgIIWvgOmMFTClgwDQYJKoZIhvcNAQEFBQAwRDELMAkGA1UE
BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVz
dCBOZXR3b3JraW5nMB4XDTExMTAyMjE5MTQ0MloXDTMwMTIzMTE0MDgyNFowQDEL
MAkGA1UEBhMCVVMxGDAWBgNVBAoMD1RyZW5kIE1pY3JvIEluYzEXMBUGA1UEAwwO
VHJlbmQgTWljcm8gQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC
tz7qUBb61DHFYDbRj69nikk/4sbQ53NnPSrOBJEX3E59MAPoEO/biYzoMF4A3UdB
LzZsRp4SYJZ0WybyvaExs9FHECfpcXohOCPkG7u1RC4EtUgMjw3lNvu3gDvyi5ut
cdKI4uOwIkhD8objKuzSlU4IaUjsTaeIROKQHttkDMw7d8HhORy3QnTSIClZ3hgW
DJZZHOyE2xhGhdyG/KfNlw/uXtJ9A5/YUPHp4dDfrQV2PUr+dTgs3BIh9r7dRngl
a4BqbvNaH8Yw3fFJ8DqY118JH5GSQ3RQwHpz2f34n0y2PTSMLQlMUC2iRBOd8dhW
Je5RGbKfveHXDfBgqdBBAgMBAAGjgfowgfcwHQYDVR0OBBYEFK0xx/oCzmf3ZRz7
ul/Au8VQTGfIMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUBx/S55zawm6i
QLSwelAQUHTEyL0wSQYDVR0gBEIwQDA+BgRVHSAAMDYwNAYIKwYBBQUHAgEWKGh0
dHA6Ly93d3cuYWZmaXJtdHJ1c3QuY29tL3Jlc291cmNlcy9jcHMwSQYDVR0fBEIw
QDA+oDygOoY4aHR0cDovL2NybC5hZmZpcm10cnVzdC5jb20vY3JsL0FmZmlybVRy
dXN0TmV0d29ya2luZy5jcmwwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUA
A4IBAQCz8LF8s4ueoaZov0/fhVPJlm8flyIa/zxKxR7PK26LXJbV7Z4CL/7Xtp0z
VtzAeFhuD11YSkG6BOvBDvozt4rHlLuOj/R+II10sBG4R3Z1iUUeXVLI5e4L0RL8
vb1PNBghUWF7+3W4Ge/CfHjno1V5I293k85otpjgq0MgJsr16oe9vjjOkXSZaG1+
NXshwaqFbDFI70ORCP0HmKADPAGm++sl6hVis1I9fWo9consiYRTHs2ac0f/bAu5
lyDf3OSEtcaYmvMuzwI4BZ7xTmPbx0pFN+dkpS8V2VO1bITrkKBkW6LqlVyDY8al
7Q4eay8hSFJbRBNzyPj+oarZ69Hf
-----END CERTIFICATE-----

quit

After pasting in the above commands, you should see the following output, and the Cisco IOS device will prompt you to accept the new certificate.  Please make sure you answer yes at the prompt.

Trustpoint 'trendmicro' is a subordinate CA and holds a non self signed cert
Certificate has the following attributes:
       Fingerprint MD5: 52F268ED F9148A9F 59384DDF A4131E2D
      Fingerprint SHA1: 0AD58B34 4C169343 D107713D BEE0DCCA 261F1EE4

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted

% Certificate successfully imported

Once the CA certificate has been installed, the Cisco IOS Content Filtering feature will resume working.

Verification

Certificate Installation Verification

To verify that the new CA certificate has been installed properly, issue the command:  show crypto pki certificates

Trend Micro Communication Verification

To verify that the Cisco IOS device is able to successfully communicate with the Trend Micro server issue the following commands:

   trm register

   show ip trm subscription status

You forcing the Cisco IOS device to register with Trend Micro, you should see that the status is Active in the output of show ip trm subscription status.

router# show ip trm subscription status 

       Package Name:  Security & Productivity

------------------------------------------------

             Status:  Active

Status Update Time:  12:30:25 UTC Wed Oct 3 2013

    Expiration-Date:  Tue Mar 11 07:00:00 2014

    Last Req Status:  Processed response successfully

Last Req Sent Time:  10:22:11 UTC Wed Oct 3 2013