We have now an previous Cisco WLC 5760 with some expiring certificates on it.
WLC01#present crypto pki certificates
Certificates
Standing: Obtainable
Certificates Serial Quantity (hex): 3D74CA5C0000000F83D5
Certificates Utilization: Basic Function
Issuer:
cn=Cisco Manufacturing CA SHA2
o=Cisco
Topic:
Title: AIR-CT5760-A0554F653700
Serial Quantity: PID:AIR-CT5760 SN:FOC1904V020
cn=AIR-CT5760-A0554F653700
serialNumber=PID:AIR-CT5760 SN:FOC1904V020
CRL Distribution Factors:
http://www.cisco.com/safety/pki/crl/cmca2.crl
Validity Date:
begin date: 13:45:42 Winter Jan 27 2015
finish date: 13:55:42 Winter Jan 27 2025
Related Trustpoints: CISCO_IDEVID_SUDI
Certificates
Standing: Obtainable
Certificates Serial Quantity (hex): 151E2E110000002B9E57
Certificates Utilization: Basic Function
Issuer:
cn=Cisco Manufacturing CA
o=Cisco Methods
Topic:
Title: AIR-CT5760-A0554F653700
Serial Quantity: PID:AIR-CT5760 SN:FOC1904V020
cn=AIR-CT5760-A0554F653700
serialNumber=PID:AIR-CT5760 SN:FOC1904V020
CRL Distribution Factors:
http://www.cisco.com/safety/pki/crl/cmca.crl
Validity Date:
begin date: 13:41:01 Winter Jan 27 2015
finish date: 13:51:01 Winter Jan 27 2025
Related Trustpoints: CISCO_IDEVID_SUDI_LEGACY
About 9 months in the past we had points with a few of APs having expiring certificates and we adopted this Cisco workaround and bought them again working with the under config
crypto pki trustpool coverage
revocation-check none
match certificates ap-cert-expired enable expired-certificate
!
!
!
crypto pki certificates map ap-cert-expired 1
issuer-name co cisco manufacturing ca
Which on the time I believed it will resolve the problem on twenty seventh of Jan. Nonetheless going over it once more now I’m not so certain. The way in which I learn it, this workaround tells the WLC to simply accept expired certificates from APs and so on however it doesnt inform different units like APs and Anchor controllers to simply accept its personal expired certificates(s).
So on the twenty seventh Jan are we going to have points? And in that case is there config I can apply to the APs (Cisco 3702I) and the anchor controllers (Cisco 5508) to mitigate the problem?
Notice – That is an historic wi-fi community that’s within the means of being pulled out however in all probability wont be totally out by the twenty seventh Jan.
Beneath is the complete output of the present command above, all of the remaining certs have loads of time to go.
WLC01#present crypto pki certificates
Certificates
Standing: Obtainable
Certificates Serial Quantity (hex): 3D74CA5C0000000F83D5
Certificates Utilization: Basic Function
Issuer:
cn=Cisco Manufacturing CA SHA2
o=Cisco
Topic:
Title: AIR-CT5760-A0554F653700
Serial Quantity: PID:AIR-CT5760 SN:FOC1904V020
cn=AIR-CT5760-A0554F653700
serialNumber=PID:AIR-CT5760 SN:FOC1904V020
CRL Distribution Factors:
http://www.cisco.com/safety/pki/crl/cmca2.crl
Validity Date:
begin date: 13:45:42 Winter Jan 27 2015
finish date: 13:55:42 Winter Jan 27 2025
Related Trustpoints: CISCO_IDEVID_SUDI
Certificates
Standing: Obtainable
Certificates Serial Quantity (hex): 151E2E110000002B9E57
Certificates Utilization: Basic Function
Issuer:
cn=Cisco Manufacturing CA
o=Cisco Methods
Topic:
Title: AIR-CT5760-A0554F653700
Serial Quantity: PID:AIR-CT5760 SN:FOC1904V020
cn=AIR-CT5760-A0554F653700
serialNumber=PID:AIR-CT5760 SN:FOC1904V020
CRL Distribution Factors:
http://www.cisco.com/safety/pki/crl/cmca.crl
Validity Date:
begin date: 13:41:01 Winter Jan 27 2015
finish date: 13:51:01 Winter Jan 27 2025
Related Trustpoints: CISCO_IDEVID_SUDI_LEGACY
CA Certificates
Standing: Obtainable
Certificates Serial Quantity (hex): 02
Certificates Utilization: Signature
Issuer:
cn=Cisco Root CA M2
o=Cisco
Topic:
cn=Cisco Manufacturing CA SHA2
o=Cisco
CRL Distribution Factors:
http://www.cisco.com/safety/pki/crl/crcam2.crl
Validity Date:
begin date: 13:50:58 Winter Nov 12 2012
finish date: 07:32:01 Summer time Oct 7 1901
Related Trustpoints: CISCO_IDEVID_SUDI Trustpool
CA Certificates
Standing: Obtainable
Certificates Serial Quantity (hex): 01
Certificates Utilization: Signature
Issuer:
cn=Cisco Root CA M2
o=Cisco
Topic:
cn=Cisco Root CA M2
o=Cisco
Validity Date:
begin date: 13:00:18 Winter Nov 12 2012
finish date: 07:32:02 Summer time Oct 7 1901
Related Trustpoints: CISCO_IDEVID_SUDI0 Trustpool
CA Certificates
Standing: Obtainable
Certificates Serial Quantity (hex): 6A6967B3000000000003
Certificates Utilization: Signature
Issuer:
cn=Cisco Root CA 2048
o=Cisco Methods
Topic:
cn=Cisco Manufacturing CA
o=Cisco Methods
CRL Distribution Factors:
http://www.cisco.com/safety/pki/crl/crca2048.crl
Validity Date:
begin date: 23:16:01 Summer time Jun 10 2005
finish date: 21:25:42 Summer time Could 14 2029
Related Trustpoints: CISCO_IDEVID_SUDI_LEGACY Trustpool
CA Certificates
Standing: Obtainable
Certificates Serial Quantity (hex): 5FF87B282B54DC8D42A315B568C9ADFF
Certificates Utilization: Signature
Issuer:
cn=Cisco Root CA 2048
o=Cisco Methods
Topic:
cn=Cisco Root CA 2048
o=Cisco Methods
Validity Date:
begin date: 21:17:12 Summer time Could 14 2004
finish date: 21:25:42 Summer time Could 14 2029
Related Trustpoints: CISCO_IDEVID_SUDI_LEGACY0 Trustpool
Router Self-Signed Certificates
Standing: Obtainable
Certificates Serial Quantity (hex): 01
Certificates Utilization: Basic Function
Issuer:
cn=IOS-Self-Signed-Certificates-2971109870
Topic:
Title: IOS-Self-Signed-Certificates-2971109870
cn=IOS-Self-Signed-Certificates-2971109870
Validity Date:
begin date: 11:11:07 Summer time Jun 9 2015
finish date: 00:00:00 Winter Jan 1 2020
Related Trustpoints: TP-self-signed-2971109870
Storage: nvram:IOS-Self-Sig#3.cer