cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10458
Views
15
Helpful
20
Replies

default Keyring's certificate is invalid, reason: unknown

Walter Dey
VIP Alumni
VIP Alumni

After upgrade to 2.1.2a, 2 UCS domains actually came with this error.

Description: default Keyring's certificate is invalid, reason: unknown

Cause: invalid-keyring-certificate

Code: F0909

I did the procedure

FI-A# scope security

FI-A/security # scope keyring default

FI-A/security/keyring # set regenerate yes

FI-A/security/keyring* # commit

Which didn't help ?         

     

Any advice is appreciated

Walter.

20 Replies 20

Walter Dey
VIP Alumni
VIP Alumni

Here some additional information

FI-BAL16-1-A /security # sho keyring detail

Keyring default:

    RSA key modulus: Mod2048

    Trustpoint CA:

    Cert Status: Unknown

    Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            b7:2b:15:ef:b6:67:ea:9e

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: CN=FI-BAL16-1

        Validity

            Not Before: Jul 17 13:40:22 2013 GMT

            Not After : Jul 17 13:40:22 2014 GMT

        Subject: CN=FI-BAL16-1

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

Hi,

thanks for the details. Got the same error and also a "dead" IOM which isn`t fixed already.

See the other post. ;-)

But on both of my FIs (which are 2.1.2a by now) i got this:

Keyring default:

    RSA key modulus: Mod1024

    Trustpoint CA:

    Cert Status: Unknown

    Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            cb:95:d4:5d:a1:4c:1d:d2

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: CN=fib-A

        Validity

            Not Before: Nov 19 11:13:11 2012 GMT

            Not After : Nov 19 11:13:11 2013 GMT

        Subject: CN=fib-A

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

            RSA Public Key: (1024 bit)

                Modulus (1024 bit):

It is a very interessting update....

Hello Walter / Timo,

The cert status is identified as " unknown " and hence the fault.

We are tracking this issue via CSCui06351

It will take a while to get pblished on cisco.com

Copy of release notes

Symptom:

Major fault is raised for default keyring certificate status showing as unknown.

Conditions:

When default keyring exists, the certificate status would be evaluated as unknown. This is because the default keyring certificate is self-signed certificate. The same certificate is used for https communication. The clients trying to access UCSM using https would fail to validate the certificate because it is self-signed certificate.

Workaround:

Use non default keyring for https communication. It is not recommended to use self-signed certificate for https. If Customer is using default certificate (which is not recommended), it is ok to ignore this fault. It is always recommended to use certificate signed by well known/trusted CA.

------------------------------------------------------

@ Walter,

Hope you are doing good. Glad to see you on CSC :-)

HTH

Padma

Hi Padma,

we are using our own certificates from a trusted CA (cert is in all browsers, with at least 2 sub-CA) on our FIs.

Next to the default-keyring. Working fine so far.

Does that mean we can safely delete the default-keyring?

And won`t get any trouble later while doing any upgrade of firmware etc.?

That is how i understand your anwser.

Can you please clearify this topic, before i will delete any default-keyring?

Thanks a lot for your help.

Regards,

Timo

Hello Timo,

If you are using third party CA, you can safely delete the default ( self-signed certificate ) keyring.

Padma

Thank you for the update. I opened a TAC case on this same issue yesterday after we upgraded to 2.1(2a).

dear padramas

I got the same problem too.is there any possibitilties to clear this fault?As we donnot have any third party's cert,thanks!

Hello Qi Liu,

We can safely ignore the fault and it does not affect any functionality.

Apart from using third party cert, there is no other option to clear the fault.

Padma

Hi Padramas,

ok, we can ignore the fault, but when there will be deploy a solution to resolve the fault in UCS Manager?

regards Frank

Hello Frank,

We are actively working on it and will let update the thread when I have more information on it.

Please note this defect only applies if you have UCSM 2.1.2 for the self signed cert with cert status / reason as UNKNOWN

Padma

Hello Padma,

I really wish to know why Cisco implemented this now. In my opinion this is not relevant in a datacenter already protected enviroment, could be a simple alert, but as a fault, this is bad thing.

I'm facing some troubles with my customers to do a kvm access correctly, probably I will do a rollback of UCS version.

Padma, please let us updated about it.

Thank you.

Richard

Hi Richard,

Cisco did not intentionally implement this. The problem that you are experiencing is due to a bug and certainly was not by design. Although, as Padma pointed out, a certificate from a trusted CA, is a preferred scenario.

,

I can assure you that it is being closely examined.

Thanks.

-Bruce

Thanks Bruce.

I will follow this thread.

Richard.

Hello @padramas , if trying to clear the alert and regenerating a default keyring then not being able to fetch domain to log in, if that related to this same issue? 

Review Cisco Networking for a $25 gift card

Review Cisco Networking for a $25 gift card