Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Cisco IOS Content Filtering (Trend Micro) Certificate Change - Aug 17, 2012

Please NOTE:  Trend Micro's CA Certificate changed again on Sept. 4, 2013.  Please use the certificate in the following doc instead: 

https://supportforums.cisco.com/docs/DOC-36825

 

 

Overview of Cisco IOS Content Filtering

The  Subscription-based Cisco IOS Content Filtering feature interacts with  the Trend Micro URL filtering service so that HTTP requests can be  allowed or blocked, and logged, based on a content filtering policy. The  content filtering policy specifies how to handle items such as web  categories, reputations (or security ratings), trusted domains,  untrusted domains, and keywords. URLs are cached on the router, so that  subsequent requests for the same URL do not require a lookup request,  thus improving performance.

 

For more information about the Cisco IOS Content Filtering solution, please see the IOS Content Filtering document (DOC-8028)

 

Problem

On August 17, 2012 the Identity certificate was changed on the Trend Micro server that the Cisco IOS device talks to.  Since the new identity certificate is signed by a different Certificate Authority (CA), all users of the Cisco IOS Content Filtering feature must replace the CA certificate installed on the Cisco IOS device with the new CA certificate listed below, for the content filtering feature to continue working after August 17, 2012.

 

Resolution

Affected users (which is all users who are using the Cisco IOS Content Filtering Feature), must log into their Cisco IOS device and update the CA Certificate for the Trend Micro server.  In the below example, the trustpoint name is trendmicro, however it may be different on your specific device.  You may however just copy and paste in the commands below (in configuration mode) to install the new CA certificate.

 

Step 1 - Remove Existing (old) CA Certificate

 

Issue the command no crypto pki trustpoint trendmicro (where trendmicro is the current name of your trustpoint).  You will be prompted to ensure you want to delete the existing trustpoint, choose Yes.

 

 

router(config)#no crypto pki trustpoint trendmicro

% Removing an enrolled trustpoint will destroy all certificates

received from the related Certificate Authority.

 

Are you sure you want to do this? [yes/no]: yes

% Be sure to ask the CA administrator to revoke your certificates.

 

 

Step 2 - Installing new CA certificate

 

crypto pki trustpoint trendmicro

revocation-check none

enrollment terminal

crypto pki authenticate trendmicro

 

-----BEGIN CERTIFICATE-----

MIID2TCCAsGgAwIBAgIDAjbQMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT

MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i

YWwgQ0EwHhcNMTAwMjE5MjIzOTI2WhcNMjAwMjE4MjIzOTI2WjBAMQswCQYDVQQG

EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xGDAWBgNVBAMTD0dlb1RydXN0

IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJCzgMHk5Uat

cGA9uuUU3Z6KXot1WubKbUGlI+g5hSZ6p1V3mkihkn46HhrxJ6ujTDnMyz1Hr4Gu

FmpcN+9FQf37mpc8oEOdxt8XIdGKolbCA0mEEoE+yQpUYGa5jFTk+eb5lPHgX3UR

8im55IaisYmtph6DKWOy8FQchQt65+EuDa+kvc3nsVrXjAVaDktzKIt1XTTYdwvh

dGLicTBi2LyKBeUxY0pUiWozeKdOVSQdl+8a5BLGDzAYtDRN4dgjOyFbLTAZJQ50

96QhS6CkIMlszZhWwPKoXz4mdaAN+DaIiixafWcwqQ/RmXAueOFRJq9VeiS+jDkN

d53eAsMMvR8CAwEAAaOB2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFEJ5

VBthzVUrPmPVPEhX9Z/7Rc5KMB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4

ysxOMBIGA1UdEwEB/wQIMAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDov

L2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEE

KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZI

hvcNAQEFBQADggEBANTvU4ToGr2hiwTAqfVfoRB4RV2yV2pOJMtlTjGXkZrUJPji

J2ZwMZzBYlQG55cdOprApClICq8kx6jEmlTBfEx4TCtoLF0XplR4TEbigMMfOHES

0tdT41SFULgCy+5jOvhWiU1Vuy7AyBh3hjELC3DwfjWDpCoTZFZnNF0WX3OsewYk

2k9QbSqr0E1TQcKOu3EDSSmGGM8hQkx0YlEVxW+o78Qn5Rsz3VqI138S0adhJR/V

4NwdzxoQ2KDLX4z6DOW/cf/lXUQdpj6HR/oaToODEj+IZpWYeZqF6wJHzSXj8gYE

TpnKXKBuervdo5AaRTPvvz7SBMS24CqFZUE+ENQ=

-----END CERTIFICATE-----

quit

 

 

After pasting in the above commands, you should see the following output, and the Cisco IOS device will prompt you to accept the new certificate.  Please make sure you answer yes at the prompt.

 

 

Trustpoint 'trendmicro ' is a subordinate CA and holds a non self signed cert

Certificate has the following attributes:

       Fingerprint MD5: DFF1B76B 258DBE73 48E37668 97A93871

      Fingerprint SHA1: 780A06F6 E9B4061C AD0C6502 710606EB 535F1C26

 

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted

% Certificate successfully imported

 

 

Once the CA certificate has been installed, the Cisco IOS Content Filtering feature will resume working.

 

 

Verification

Certificate Installation Verification

To verify that the new CA certificate has been installed properly, issue the command:  show crypto pki certificates

 

Trend Micro Communication Verification

To verify that the Cisco IOS device is able to successfully communicate with the Trend Micro server issue the following commands:

 

   trm register

 

   show ip trm subscription status

 

 

You forcing the Cisco IOS device to register with Trend Micro, you should see that the status is Active in the output of show ip trm subscription status.

 

router# show ip trm subscription status 

       Package Name:  Security & Productivity

------------------------------------------------

             Status:  Active

Status Update Time:  11:31:43 UTC Wed Aug 15 2012

    Expiration-Date:  Sat May 25 07:00:00 2013

    Last Req Status:  Processed response successfully

Last Req Sent Time:  11:31:43 UTC Wed Aug 15 2012

Version history
Revision #:
2 of 2
Last update:
‎08-29-2017 03:03 AM
Updated by:
 
Labels (1)
Contributors
Comments
New Member

My router configs have the command crypto pki certificate chain trendmicro instead of crypto pki authenticate trendmicro.  Would that change the above commands?  Also, I don't see any issues with the content filtering.  I ran show policy-map type inspect zone-pair urlfilter twice and Total responses received from URL Filter Server increased.  Show ip trm subscription status shows Active. No events in log.  Seems like router should show some indication there's an issue.