Tue. Nov 19th, 2019

Expired SSL certificates in the Cisco VPN will disrupt network configuration

2 min read
Anyone running a Cisco-supported virtual private network (VPN) may need to install an update to make sure everything is working. This is because Cisco inadvertently allows SSL certificates embedded in the Switchzilla Application Policy Infrastructure Controller Enterprise Module (APIC-EM) of the software-defined network controller to expire on July 13.
Image:By Cisco (Cisco) [Public domain], via Wikimedia Commons
In a notice issued on August 6, Cisco explained:
“The APIC-EM Public Key Infrastructure (PKI) broker fails in affected software versions. As a result, the APIC-EM instance becomes unable to provision trustpoints. APIC-EM instances with this problem are not able to generate new device Secure Sockets Layer (SSL) certificates or use the APIC-EM Intelligent WAN (IWAN) application to deploy new hub/branch sites.”
The reason for this is that the embedded SSL certificate expires, preventing the creation of any new trust points. The embedded SSL certificate acts as the root of an open source certification authority called EJBCA. When the root certificate is valid, it can issue, update, and revoke X.509 certificates for authentication and encryption across VPNs.
When the root is untrusted or expires, you will no longer be able to issue new certificates, and it is possible to turn all existing certificates that are linked back to expired certificates into untrusted. Although the latter did not happen, the problem of not being able to issue certificates properly still caused a large number of users to create new ones.

“A fix for this problem will be available in APIC-EM Release 1.6.3. Alternatively, a qualified Cisco engineer can apply a manual patch to affected systems. Contact the Technical Assistance Center (TAC) for assistance with the manual patch.”

The impact of a single certificate expiration is significant, and an expired certificate will remove most of your attack defenses.