cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
622
Views
15
Helpful
7
Replies
wj343
Beginner

CA certificate to be expired in 480 days

Running IOS XR 6.4.2, received this cryptic message in my logs today from both RSP's:

RP/0/RSP0/CPU0:Sep 10 14:01:16.082 EDT: cepki[162]: %SECURITY-PKI-6-ERR_1_PARAM : CA certificate to be expired in 480 days  
RP/0/RSP1/CPU0:Sep 10 14:11:34.982 EDT: cepki[162]: %SECURITY-PKI-6-ERR_1_PARAM : CA certificate to be expired in 480 days

 

Is this something to be concerned about? I couldn't find any information online regarding this error and we don't have any crypto settings in our IOS-XR configs.

1 ACCEPTED SOLUTION

Accepted Solutions
7 REPLIES 7
dyadav2
Cisco Employee

Hi, 

 

Could you please share output of below CLI once, I will have a quick look.

show crypto ca trustpool detail

 



@wj343 wrote:

Running IOS XR 6.4.2, received this cryptic message in my logs today from both RSP's:

RP/0/RSP0/CPU0:Sep 10 14:01:16.082 EDT: cepki[162]: %SECURITY-PKI-6-ERR_1_PARAM : CA certificate to be expired in 480 days  
RP/0/RSP1/CPU0:Sep 10 14:11:34.982 EDT: cepki[162]: %SECURITY-PKI-6-ERR_1_PARAM : CA certificate to be expired in 480 days

 

Is this something to be concerned about? I couldn't find any information online regarding this error and we don't have any crypto settings in our IOS-XR configs.


 

#show crypto ca trustpool detail 
Sat Sep 11 22:58:32.248 EDT

Trustpool: Built-In
==================================================
CA certificate 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            5f:f8:7b:28:2b:54:dc:8d:42:a3:15:b5:68:c9:ad:ff
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Cisco Root CA 2048,O=Cisco Systems
        Validity
            Not Before: May 14 20:17:12 2004 GMT
            Not After : May 14 20:25:42 2029 GMT
        Subject: CN=Cisco Root CA 2048,O=Cisco Systems
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b0:9a:b9:ab:a7:af:0a:77:a7:e2:71:b6:b4:66:
                    62:94:78:88:47:c6:62:55:84:40:32:bf:c0:ab:2e:
                    a5:1c:71:d6:bc:6e:7b:a8:aa:ba:6e:d2:15:88:48:
                    45:9d:a2:fc:83:d0:cc:b9:8c:e0:26:68:70:4a:78:
                    df:21:17:9e:f4:61:05:c9:15:c8:cf:16:da:35:61:
                    89:94:43:a8:84:a8:31:98:78:9b:b9:4e:6f:2c:53:
                    12:6c:cd:1d:ad:2b:24:bb:31:c4:2b:ff:83:44:6f:
                    b6:3d:24:77:09:ea:bf:2a:a8:1f:6a:56:f6:20:0f:
                    11:54:97:81:75:a7:25:ce:59:6a:82:65:ef:b7:ea:
                    e7:e2:8d:75:8b:6e:f2:dd:4f:a6:5e:62:9c:cf:10:
                    0a:64:d0:4e:6d:ce:2b:cc:5b:f5:60:a5:27:47:8d:
                    69:f4:7f:ce:1b:70:de:70:1b:20:d6:6e:cd:a6:01:
                    a8:3c:12:d2:a9:3f:a0:6b:5e:bb:8e:20:8b:7a:91:
                    e3:b5:68:ee:a0:e7:c4:01:74:a8:53:0b:2b:4a:9a:
                    0f:65:12:0e:82:4d:8e:63:fd:ef:eb:9b:1a:db:53:
                    a6:13:60:af:c2:7d:d7:c7:6c:17:25:d4:73:fb:47:
                    64:50:81:80:94:4c:e1:bf:ae:4b:1c:df:92:ed:2e:
                    05:df
                Exponent: 3 (0x3)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                27:F3:C8:15:1E:6E:9A:02:09:16:AD:2B:A0:89:60:5F:DA:7B:2F:AA
            1.3.6.1.4.1.311.21.1: 
                ...
    Signature Algorithm: sha1WithRSAEncryption
         9d:9d:84:84:a3:41:a9:7c:77:0c:b7:53:ca:4e:44:50:62:ef:
         54:7c:d3:75:17:1c:e8:e0:c6:48:4b:b6:fe:4c:3a:19:81:56:
         b0:56:ee:19:96:62:aa:5a:a3:64:c1:f6:4e:54:33:c6:77:fe:
         c5:1c:ba:e5:5d:25:ca:f5:f0:93:9a:83:11:2e:e6:cb:f8:74:
         45:fe:e7:05:b8:ab:e7:df:cb:4b:e1:37:84:da:b9:8b:97:70:
         1e:f0:e2:8b:d7:b0:d8:0e:9d:b1:69:d6:2a:91:7b:a9:49:4f:
         7e:e6:8e:95:d8:83:27:3c:d5:68:49:0e:d4:9d:f6:2e:eb:a7:
         be:eb:30:a4:ac:1f:44:fc:95:ab:33:06:fb:7d:60:0a:de:b4:
         8a:63:b0:9c:a9:f2:a4:b9:53:01:87:d0:68:a4:27:7f:ab:ff:
         e9:fa:c9:40:38:88:67:b4:39:c6:84:6f:57:c9:53:db:ba:8e:
         ee:c0:43:b2:f8:09:83:6e:ff:66:cf:3e:ef:17:b3:58:18:25:
         09:34:5e:e3:cb:d6:14:b6:ec:f2:92:6f:74:e4:2f:81:2a:d5:
         92:91:e0:e0:97:3c:32:68:05:85:4b:d1:f7:57:e2:52:1d:93:
         1a:54:9f:05:70:c0:4a:71:60:1e:43:0b:60:1e:fe:a3:ce:81:
         19:e1:0b:35
  SHA1 Fingerprint:
         DE990CED99E0431F60EDC3937E7CD5BF0ED9E5FA 

Trustpool: Built-In
==================================================
CA certificate 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            2e:d2:0e:73:47:d3:33:83:4b:4f:dd:0d:d7:b6:96:7e
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Cisco Root CA M1,O=Cisco
        Validity
            Not Before: Nov 18 21:50:24 2008 GMT
            Not After : Nov 18 21:59:46 2033 GMT
        Subject: CN=Cisco Root CA M1,O=Cisco
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9a:41:dc:19:dd:49:6a:90:5b:0f:91:d4:68:fd:
                    6e:58:94:5e:72:33:75:b0:a8:ba:47:e6:aa:2d:ff:
                    ca:b2:ed:26:b3:23:0f:7f:ab:28:9a:73:48:e8:b0:
                    32:45:48:84:d3:a3:e6:7e:ad:10:85:91:cf:bf:ca:
                    d5:8c:a2:73:09:b6:13:11:6e:85:c1:8a:73:d9:77:
                    e3:5b:6c:c3:a1:a1:b2:39:c5:f5:14:17:de:77:c2:
                    23:ad:df:9d:1b:07:06:b7:1e:f1:ee:4a:fd:7c:b3:
                    50:50:17:ec:0e:6a:fe:43:bb:31:e6:d5:97:d4:8a:
                    97:57:09:f3:87:5b:71:fd:84:4d:2a:d6:99:69:7d:
                    03:77:2e:2a:1c:f8:5b:e4:55:f5:af:86:0c:7c:00:
                    ee:e0:88:30:dd:18:d2:f0:a0:90:d8:5c:00:63:df:
                    cf:b2:b3:db:c9:09:e1:2a:c8:7c:3d:bc:35:7b:09:
                    e9:70:9e:84:a7:50:55:60:84:32:09:63:95:76:35:
                    4b:6d:6e:12:8e:97:6c:d2:e8:20:c6:ce:14:53:f5:
                    50:8c:69:a0:ad:a8:35:3c:82:85:5a:87:16:a0:81:
                    93:cd:a4:c7:92:23:70:2f:45:58:88:3d:e2:06:0b:
                    81:53:90:01:86:c3:e4:95:4a:e3:eb:19:34:1d:ab:
                    bc:0f
                Exponent: 3 (0x3)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                A6:03:1D:7F:CA:BD:B2:91:40:C6:CB:82:36:1F:6B:98:8F:DD:BC:29
            1.3.6.1.4.1.311.21.1: 
                ...
    Signature Algorithm: sha1WithRSAEncryption
         7e:6d:7e:61:1e:da:01:9e:9f:38:61:bd:e7:5f:82:e9:5c:7f:
         bc:e1:1d:6c:50:a0:77:5b:e8:a7:58:3d:31:77:9f:5f:9b:3c:
         0c:b3:24:ac:c7:3c:eb:c0:c6:e1:9e:f6:d2:ec:2d:7b:1f:d6:
         93:d9:4f:5d:51:d3:d4:4f:9e:a9:83:e7:97:f6:ce:17:11:a1:
         8b:d4:57:9d:94:79:3a:1b:71:4b:f5:db:e6:c0:a1:ee:5b:7b:
         93:99:94:e2:ce:33:cf:cb:78:44:96:95:10:55:c3:46:7a:c8:
         b5:b8:8d:34:d6:d3:c2:55:50:54:a3:bb:65:c9:f8:50:93:ac:
         ed:ba:4d:f0:ba:81:ef:1f:f8:03:3d:56:71:29:b5:84:48:70:
         f1:08:29:19:c4:39:cb:41:d1:e9:27:45:b5:e1:25:6b:4f:fe:
         cd:98:57:1d:f3:0f:d1:ca:a4:d1:23:1b:94:cb:65:10:34:47:
         9a:8a:81:05:43:98:3e:6d:98:77:a0:8d:d5:ed:8d:5d:fc:8d:
         c7:2d:05:68:05:69:2f:6f:29:20:81:94:bb:ab:86:09:ca:de:
         6f:38:0a:ab:23:49:05:82:a3:eb:cc:8e:9d:46:a5:4b:e6:60:
         0f:d6:00:30:5e:b3:8e:be:d7:44:ac:32:c7:e8:41:e7:46:ee:
         35:bd:d4:76
  SHA1 Fingerprint:
         45AD6BB499011BB4E84E84316A81C27D89EE5CE7 

Trustpool: Built-In
==================================================
CA certificate 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
        Validity
            Not Before: Sep 30 21:12:19 2000 GMT
            Not After : Sep 30 14:01:15 2021 GMT
        Subject: CN=DST Root CA X3,O=Digital Signature Trust Co.
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:df:af:e9:97:50:08:83:57:b4:cc:62:65:f6:90:
                    82:ec:c7:d3:2c:6b:30:ca:5b:ec:d9:c3:7d:c7:40:
                    c1:18:14:8b:e0:e8:33:76:49:2a:e3:3f:21:49:93:
                    ac:4e:0e:af:3e:48:cb:65:ee:fc:d3:21:0f:65:d2:
                    2a:d9:32:8f:8c:e5:f7:77:b0:12:7b:b5:95:c0:89:
                    a3:a9:ba:ed:73:2e:7a:0c:06:32:83:a2:7e:8a:14:
                    30:cd:11:a0:e1:2a:38:b9:79:0a:31:fd:50:bd:80:
                    65:df:b7:51:63:83:c8:e2:88:61:ea:4b:61:81:ec:
                    52:6b:b9:a2:e2:4b:1a:28:9f:48:a3:9e:0c:da:09:
                    8e:3e:17:2e:1e:dd:20:df:5b:c6:2a:8a:ab:2e:bd:
                    70:ad:c5:0b:1a:25:90:74:72:c5:7b:6a:ab:34:d6:
                    30:89:ff:e5:68:13:7b:54:0b:c8:d6:ae:ec:5a:9c:
                    92:1e:3d:64:b3:8c:c6:df:bf:c9:41:70:ec:16:72:
                    d5:26:ec:38:55:39:43:d0:fc:fd:18:5c:40:f1:97:
                    eb:d5:9a:9b:8d:1d:ba:da:25:b9:c6:d8:df:c1:15:
                    02:3a:ab:da:6e:f1:3e:2e:f5:5c:08:9c:3c:d6:83:
                    69:e4:10:9b:19:2a:b6:29:57:e3:e5:3d:9b:9f:f0:
                    02:5d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier: 
                C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10
    Signature Algorithm: sha1WithRSAEncryption
         a3:1a:2c:9b:17:00:5c:a9:1e:ee:28:66:37:3a:bf:83:c7:3f:
         4b:c3:09:a0:95:20:5d:e3:d9:59:44:d2:3e:0d:3e:bd:8a:4b:
         a0:74:1f:ce:10:82:9c:74:1a:1d:7e:98:1a:dd:cb:13:4b:b3:
         20:44:e4:91:e9:cc:fc:7d:a5:db:6a:e5:fe:e6:fd:e0:4e:dd:
         b7:00:3a:b5:70:49:af:f2:e5:eb:02:f1:d1:02:8b:19:cb:94:
         3a:5e:48:c4:18:1e:58:19:5f:1e:02:5a:f0:0c:f1:b1:ad:a9:
         dc:59:86:8b:6e:e9:91:f5:86:ca:fa:b9:66:33:aa:59:5b:ce:
         e2:a7:16:73:47:cb:2b:cc:99:b0:37:48:cf:e3:56:4b:f5:cf:
         0f:0c:72:32:87:c6:f0:44:bb:53:72:6d:43:f5:26:48:9a:52:
         67:b7:58:ab:fe:67:76:71:78:db:0d:a2:56:14:13:39:24:31:
         85:a2:a8:02:5a:30:47:e1:dd:50:07:bc:02:09:90:00:eb:64:
         63:60:9b:16:bc:88:c9:12:e6:d2:7d:91:8b:f9:3d:32:8d:65:
         b4:e9:7c:b1:57:76:ea:c5:b6:28:39:bf:15:65:1c:c8:f6:77:
         96:6a:0a:8d:77:0b:d8:91:0b:04:8e:07:db:29:b6:0a:ee:9d:
         82:35:35:10
  SHA1 Fingerprint:
         DAC9024F54D8F6DF94935FB1732638CA6AD77C13 

Trustpool: Built-In
==================================================
CA certificate 
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
        Validity
            Not Before: Jan 29 00:00:00 1996 GMT
            Not After : Aug  2 23:59:59 2028 GMT
        Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c9:5c:59:9e:f2:1b:8a:01:14:b4:10:df:04:40:
                    db:e3:57:af:6a:45:40:8f:84:0c:0b:d1:33:d9:d9:
                    11:cf:ee:02:58:1f:25:f7:2a:a8:44:05:aa:ec:03:
                    1f:78:7f:9e:93:b9:9a:00:aa:23:7d:d6:ac:85:a2:
                    63:45:c7:72:27:cc:f4:4c:c6:75:71:d2:39:ef:4f:
                    42:f0:75:df:0a:90:c6:8e:20:6f:98:0f:f8:ac:23:
                    5f:70:29:36:a4:c9:86:e7:b1:9a:20:cb:53:a5:85:
                    e7:3d:be:7d:9a:fe:24:45:33:dc:76:15:ed:0f:a2:
                    71:64:4c:65:2e:81:68:45:a7
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
         10:72:52:a9:05:14:19:32:08:41:f0:c5:6b:0a:cc:7e:0f:21:
         19:cd:e4:67:dc:5f:a9:1b:e6:ca:e8:73:9d:22:d8:98:6e:73:
         03:61:91:c5:7c:b0:45:40:6e:44:9d:8d:b0:b1:96:74:61:2d:
         0d:a9:45:d2:a4:92:2a:d6:9a:75:97:6e:3f:53:fd:45:99:60:
         1d:a8:2b:4c:f9:5e:a7:09:d8:75:30:d7:d2:65:60:3d:67:d6:
         48:55:75:69:3f:91:f5:48:0b:47:69:22:69:82:96:be:c9:c8:
         38:86:4a:7a:2c:73:19:48:69:4e:6b:7c:65:bf:0f:fc:70:ce:
         88:90
  SHA1 Fingerprint:
         A1DB6393916F17E4185509400415C70240B0AE6B 
dyadav2
Cisco Employee

Hi wj343, 

 

Trustpool: Built-In
==================================================
CA certificate 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
        Validity
            Not Before: Sep 30 21:12:19 2000 GMT
            Not After : Sep 30 14:01:15 2021 GMT   <<<

 

I believe this is what's happening, 

As this is getting expired in 20 days, it is actually multiplying this with 24 hours. So, that becomes, 24 * 20 = 480 . Instead of hours, it is displaying days. I would advise raise a TAC case. TAC engineer will help with further analysis.  

smilstea
Cisco Employee

This is fixed via CSCvs73344. It is fixed in 7.3.2 and later.

 

<B>Symptom:</B>
DST Root CA in trustpool is expired on 30 Sep 2021

<B>Conditions:</B>

<B>Workaround:</B>
Config
Crypto ca trustpoint <trustpoint name>
Enrollment terminal
Domain name <domain_name>
commit
exit
Then do crypto ca authenticate <trustpoint name> -> then paste new certificate

<B>Further Problem Description:</B>

 

It looks like this fixes removes the certificate.

 

More info on the change in certificate is here: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

 

 

 

It does not affect traffic but may cause e.g. SSH problems. Also there is a potential cepki process respawn problem which is fixed with following DDTS:

CSCvo69790

 

Sam

Hi Sam,

 

Can you please advise how to remove the problematic CA from my current version of IOS-XR (6.4.2)? I am still running RSP440's, so it's not possible to perform a system upgrade to 7.3.2.

 

I am not sure how the listed workaround will help remove the certificate to prevent cepki from respawning, since it doesn't seem to replace the expiring certificate, only add a new CA (which I shouldn't need anyways).

We are working on an official external communication for this issue, should be out today or tomorrow. We have some new info and have consolidated everything. The one piece we are missing is how to clear the expired certificate, but to put your mind at ease once it does expire you should see a syslog or two and at most one process restart of cepkei. There should be no other impact, nothing to forwarding, or manageability such as SSH.