Expired SSL Certificate in Cisco VPN kit breaks network provisioning
Certificate expiration can happen to anyone, let this be a cautionary tale.
Anyone running an inter-office Cisco-powered Virtual Private Network (VPN) is probably going to need to install an update to ensure everything continues working properly. That’s because Cisco inadvertently allowed an SSL certficate embedded in Switchzilla’s Application Policy Infrastructure Controller Enterprise Module (APIC-EM), a software-defined networking controller, to expire on July 13th.
In a Field Notice issued yesterday, August 6th, Cisco notified its users of the issue:
The APIC-EM Public Key Infrastructure (PKI) broker fails in affected software versions. As a result, the APIC-EM instance becomes unable to provision trustpoints. APIC-EM instances with this problem are not able to generate new device Secure Sockets Layer (SSL) certificates or use the APIC-EM Intelligent WAN (IWAN) application to deploy new hub/branch sites.
The cause of this was the expiration of the embedded SSL certificate, thus preventing the creation of any new trust points.
Here’s what that means in layman’s terms. The embedded SSL certificate was effectively serving as a root for an open-source certificate authority called EJBCA. When the root certificate was valid, it could issue, renew and revoke the X.509 certificates being used for authentication and encryption across the VPN.
When the root goes bad, or expires, it means that you can no longer issue new certificates and it threatens to render all existing certificates that chain back to the expired one to become untrusted. That latter portion doesn’t appear to have actually occurred, rather Cisco VPN users are just being blocked from creating new end points as a result of not being able to issue the proper digital certificates.
As per Cisco, a fix is on its way.
A fix for this problem will be available in APIC-EM Release 1.6.3. Alternatively, a qualified Cisco engineer can apply a manual patch to affected systems. Contact the Technical Assistance Center (TAC) for assistance with the manual patch.
Now, the point of this discussion isn’t criticize Cisco, but rather to point out just how much of an effect a single expired SSL certificate can have. We harp all the time on not letting certificates expire without having a replacement ready and this is why. Just one single certificate has the ability to knock out a large portion of your defensive posture.
That’s why, especially at the Enterprise level, certificate visibility and having the proper tools to manage certificate life cycles is so criticially important. Speaking with some of our enterprise account managers, the biggest challenge facing most organizatons isn’t procuring the certificates – that’s never been easier – it’s managing them.
Does your organization have the tools in place to see and manage all of your digital certificates? Would you be interested in learning how?
As always, feel free to leave any comments or questions below.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown