Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
10897
Views
10
Helpful
0
Comments

MIC and SSC certificates expired on Cisco AP

gmukesh
Cisco Employee
Cisco Employee

on ‎11-11-2022 07:45 PM

Question: Does "config ap cert-expiry-ignore mic enable" / "config ap cert-expiry-ignore ssc enable" can cause any security threat as it is bypassing one of the step of CAPWAP process???!!!

 

Answer:

During the cases in which certificates (MIC/ SSC) of either WLC or AP get expired, all APs are not able to join WLC. So we use below commands on WLC. These commands just magically let all the APs to join the WLC (after checking licenses of APs on WLC and ports 5246/ 5247 should not be blocked between WLC and AP)

WLC> config ap cert-expiry-ignore mic enable
WLC> config ap cert-expiry-ignore ssc enable

So the next question asked by Customer is below:

Does "config ap cert-expiry-ignore mic enable" / "config ap cert-expiry-ignore ssc enable" can cause any security threat as it is bypassing one of the step of CAPWAP process???!!!

We used to say “No, it will not impact” to Customer and most of the Customers agree. But there are some Customers who need solid evidence to show it to their Security Team or the high Management.

 

So in this week, I replicated the issue in lab and took debug logs from WLC by using below commands one an AP was trying to join:

debug mac addr <MAC-address of AP>

debug capwap events enable

debug capwap errors enable

debug pm pki enable

debug dtls all enable

debug capwap dtls-keepalive enable

debug capwap error enable

 

Below is my observation:
It will not simply bypass the certificate check or ignore the certificates. What it will do is that it will ignore the expiry date of certificate during certificate verification. Below are the example logs on WLC that how it happens:
*spamApTask4: Nov 09 01:54:34.525: sshpmGetCID: called to evaluate <cscoDefaultNewRootCaCert> /////// Evaluation start-1
*spamApTask4: Nov 09 01:54:34.525: sshpmGetCID: Found matching CA cert cscoDefaultNewRootCaCert in row 4
*spamApTask4: Nov 09 01:54:34.525: Found CID 2bd185bc for certname cscoDefaultNewRootCaCert
*spamApTask4: Nov 09 01:54:34.525: CACertTable: Found matching CID cscoDefaultNewRootCaCert in row 4 x509 0x2cc7c6ac
*spamApTask4: Nov 09 01:54:34.527: Verify User Certificate: X509 Cert Verification return code: 0
*spamApTask4: Nov 09 01:54:34.527: Verify User Certificate: X509 Cert Verification result text: certificate has expired
*spamApTask4: Nov 09 01:54:34.527: Verify User Certificate: Error in X509 Cert Verification at 0 depth: certificate has expired
*spamApTask4: Nov 09 01:54:34.527: Verify User Certificate: Warning: Certificate has expired, but allowed & continuing

*spamApTask4: Nov 09 01:54:34.861: sshpmGetCID: called to evaluate <cscoDefaultNewRootCaCert> /////// Evaluation start-2
*spamApTask4: Nov 09 01:54:34.861: sshpmGetCID: Found matching CA cert cscoDefaultNewRootCaCert in row 4
*spamApTask4: Nov 09 01:54:34.861: Found CID 2bd185bc for certname cscoDefaultNewRootCaCert
*spamApTask4: Nov 09 01:54:34.861: CACertTable: Found matching CID cscoDefaultNewRootCaCert in row 4 x509 0x2cc7c6ac
*spamApTask4: Nov 09 01:54:34.863: Verify User Certificate: X509 Cert Verification return code: 1
*spamApTask4: Nov 09 01:54:34.863: Verify User Certificate: X509 Cert Verification result text: ok

*spamApTask4: Nov 09 01:54:34.863: sshpmGetCID: called to evaluate <cscoDefaultMfgCaCert> /////// Evaluation start-3
*spamApTask4: Nov 09 01:54:34.863: sshpmGetCID: Found matching CA cert cscoDefaultMfgCaCert in row 5
*spamApTask4: Nov 09 01:54:34.864: Verify User Certificate: OPENSSL X509_Verify: AP Cert Verfied Using >cscoDefaultMfgCaCert<
*spamApTask4: Nov 09 01:54:34.864: OpenSSL Get Issuer Handles: Check cert validity times (allow expired YES)

So here we can conclude that it is not skipping the certificate check, but it is ignoring the expiry date of certificate. For example:
1. In Evaluation-1, WLC tried to evaluate <cscoDefaultNewRootCaCert> certificate and WLC found this certificate coming in CAPWAP packet of AP. Then in Evaluation-1, WLC found that certificate is expired but is still continuing evaluation as we have run expiry-ignore commands.
2. Then in Evaluation-2, same <cscoDefaultNewRootCaCert> got evaluated with verification return code: 1

So even the certificates are expired, WLC will complete expired certificates evaluation. Now coming to answer of below question:

Does "config ap cert-expiry-ignore mic enable" / "config ap cert-expiry-ignore ssc enable" can cause any security threat as it is bypassing one of the step of CAPWAP process???!!!

 

So the answer is that evaluation is still getting completed even if the certificates are expired. Let us say if an AP is not having any certificate and it is trying to join the WLC. WLC will not let it join even with “config ap cert-expiry-ignore mic enable” command.

 

So we can share above information to Customer so that he will share this information to higher Management or Security team.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents