The Subscription-based Cisco IOS Content Filtering feature interacts with the Trend Micro URL filtering service so that HTTP requests can be allowed or blocked, and logged, based on a content filtering policy. The content filtering policy specifies how to handle items such as web categories, reputations (or security ratings), trusted domains, untrusted domains, and keywords. URLs are cached on the router, so that subsequent requests for the same URL do not require a lookup request, thus improving performance.
On September 4, 2013 the Identity certificate was changed on the Trend Micro server that the Cisco IOS device talks to. Since the new identity certificate is signed by a different Certificate Authority (CA), all users of the Cisco IOS Content Filtering feature must replace the CA certificate installed on the Cisco IOS device with the new CA certificate listed below, for the content filtering feature to continue working after Septemeber 4, 2013.
Affected users (which is all users who are using the Cisco IOS Content Filtering Feature), must log into their Cisco IOS device and update the CA Certificate for the Trend Micro server. In the below example, the trustpoint name is trendmicro, however it may be different on your specific device. You may however just copy and paste in the commands below (in configuration mode) to install the new CA certificate.
Step 1 - Remove Existing (old) CA Certificate
Issue the command no crypto pki trustpoint trendmicro (where trendmicro is the current name of your trustpoint). You will be prompted to ensure you want to delete the existing trustpoint, choose Yes.
After pasting in the above commands, you should see the following output, and the Cisco IOS device will prompt you to accept the new certificate. Please make sure you answer yes at the prompt.
Trustpoint 'trendmicro' is a subordinate CA and holds a non self signed cert Certificate has the following attributes: Fingerprint MD5: 52F268ED F9148A9F 59384DDF A4131E2D Fingerprint SHA1: 0AD58B34 4C169343 D107713D BEE0DCCA 261F1EE4
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted
% Certificate successfully imported
Once the CA certificate has been installed, the Cisco IOS Content Filtering feature will resume working.
Certificate Installation Verification
To verify that the new CA certificate has been installed properly, issue the command: show crypto pki certificates
Trend Micro Communication Verification
To verify that the Cisco IOS device is able to successfully communicate with the Trend Micro server issue the following commands:
show ip trm subscription status
You forcing the Cisco IOS device to register with Trend Micro, you should see that the status is Active in the output of show ip trm subscription status.