Some 5520 and 8540 controllers shipped from the factory without manufacturing installed certificates activated.
The first symptom typically observed is the inability to access the controller via https. (Temporary workaround: enable http access. CLI: config network webmode enable)
Code upgrades will also fail due to an unactivated certificate:
FTP Code transfer starting.
FTP receive complete... extracting components.
Failure while validating the signature!
This issue is documented in the following bug:
CSCuv97685 5520 or 8540 may have no Manufacturing Installed Certificates
This condition can be recovered without replacing the unit.
Refer to the following document for the recovery procedure, or contact the Cisco Tac for assistance:
https://supportforums.cisco.com/blog/13046816/recovery-missing-85405520-manufacturing-installed-certificates