Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

VIP Red

default Keyring's certificate is invalid, reason: unknown

After upgrade to 2.1.2a, 2 UCS domains actually came with this error.

Description: default Keyring's certificate is invalid, reason: unknown

Cause: invalid-keyring-certificate

Code: F0909

I did the procedure

FI-A# scope security

FI-A/security # scope keyring default

FI-A/security/keyring # set regenerate yes

FI-A/security/keyring* # commit

Which didn't help ?         

     

Any advice is appreciated

Walter.

19 REPLIES
VIP Red

default Keyring's certificate is invalid, reason: unknown

Here some additional information

FI-BAL16-1-A /security # sho keyring detail

Keyring default:

    RSA key modulus: Mod2048

    Trustpoint CA:

    Cert Status: Unknown

    Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            b7:2b:15:ef:b6:67:ea:9e

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: CN=FI-BAL16-1

        Validity

            Not Before: Jul 17 13:40:22 2013 GMT

            Not After : Jul 17 13:40:22 2014 GMT

        Subject: CN=FI-BAL16-1

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

New Member

default Keyring's certificate is invalid, reason: unknown

Hi,

thanks for the details. Got the same error and also a "dead" IOM which isn`t fixed already.

See the other post. ;-)

But on both of my FIs (which are 2.1.2a by now) i got this:

Keyring default:

    RSA key modulus: Mod1024

    Trustpoint CA:

    Cert Status: Unknown

    Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            cb:95:d4:5d:a1:4c:1d:d2

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: CN=fib-A

        Validity

            Not Before: Nov 19 11:13:11 2012 GMT

            Not After : Nov 19 11:13:11 2013 GMT

        Subject: CN=fib-A

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

            RSA Public Key: (1024 bit)

                Modulus (1024 bit):

It is a very interessting update....

Cisco Employee

default Keyring's certificate is invalid, reason: unknown

Hello Walter / Timo,

The cert status is identified as " unknown " and hence the fault.

We are tracking this issue via CSCui06351

It will take a while to get pblished on cisco.com

Copy of release notes

Symptom:

Major fault is raised for default keyring certificate status showing as unknown.

Conditions:

When default keyring exists, the certificate status would be evaluated as unknown. This is because the default keyring certificate is self-signed certificate. The same certificate is used for https communication. The clients trying to access UCSM using https would fail to validate the certificate because it is self-signed certificate.

Workaround:

Use non default keyring for https communication. It is not recommended to use self-signed certificate for https. If Customer is using default certificate (which is not recommended), it is ok to ignore this fault. It is always recommended to use certificate signed by well known/trusted CA.

------------------------------------------------------

@ Walter,

Hope you are doing good. Glad to see you on CSC :-)

HTH

Padma

New Member

default Keyring's certificate is invalid, reason: unknown

Hi Padma,

we are using our own certificates from a trusted CA (cert is in all browsers, with at least 2 sub-CA) on our FIs.

Next to the default-keyring. Working fine so far.

Does that mean we can safely delete the default-keyring?

And won`t get any trouble later while doing any upgrade of firmware etc.?

That is how i understand your anwser.

Can you please clearify this topic, before i will delete any default-keyring?

Thanks a lot for your help.

Regards,

Timo

Cisco Employee

default Keyring's certificate is invalid, reason: unknown

Hello Timo,

If you are using third party CA, you can safely delete the default ( self-signed certificate ) keyring.

Padma

New Member

default Keyring's certificate is invalid, reason: unknown

Thank you for the update. I opened a TAC case on this same issue yesterday after we upgraded to 2.1(2a).

New Member

default Keyring's certificate is invalid, reason: unknown

dear padramas

I got the same problem too.is there any possibitilties to clear this fault?As we donnot have any third party's cert,thanks!

Cisco Employee

default Keyring's certificate is invalid, reason: unknown

Hello Qi Liu,

We can safely ignore the fault and it does not affect any functionality.

Apart from using third party cert, there is no other option to clear the fault.

Padma

New Member

default Keyring's certificate is invalid, reason: unknown

Hi Padramas,

ok, we can ignore the fault, but when there will be deploy a solution to resolve the fault in UCS Manager?

regards Frank

Cisco Employee

default Keyring's certificate is invalid, reason: unknown

Hello Frank,

We are actively working on it and will let update the thread when I have more information on it.

Please note this defect only applies if you have UCSM 2.1.2 for the self signed cert with cert status / reason as UNKNOWN

Padma

Cisco Employee

default Keyring's certificate is invalid, reason: unknown

Hello Padma,

I really wish to know why Cisco implemented this now. In my opinion this is not relevant in a datacenter already protected enviroment, could be a simple alert, but as a fault, this is bad thing.

I'm facing some troubles with my customers to do a kvm access correctly, probably I will do a rollback of UCS version.

Padma, please let us updated about it.

Thank you.

Richard

New Member

Re: default Keyring's certificate is invalid, reason: unknown

Hi Richard,

Cisco did not intentionally implement this. The problem that you are experiencing is due to a bug and certainly was not by design. Although, as Padma pointed out, a certificate from a trusted CA, is a preferred scenario.

,

I can assure you that it is being closely examined.

Thanks.

-Bruce

Cisco Employee

Re: default Keyring's certificate is invalid, reason: unknown

Thanks Bruce.

I will follow this thread.

Richard.

New Member

default Keyring's certificate is invalid, reason: unknown

I'm also dealing with this issue for a customer.   Has a TAC been entered and has there been a response?

New Member

default Keyring's certificate is invalid, reason: unknown

Hi Joe,

Yes, TAC has been involved and there has been a bug opened against this issue. Engineering is actively looking into this and will work to resolve this problem.

Thanks.

-Bruce

New Member

default Keyring's certificate is invalid, reason: unknown

It's been a few weeks, is there any update to this? I have multiple customer chassis on 2.1(2a) and all having this issue. If I need to open my own case I can, but was hoping to hear about a resolution here.

Thanks,

Allen

Cisco Employee

default Keyring's certificate is invalid, reason: unknown

Hello Allen and all,

If you have upgraded to 2.1.2a and are using self-signed cert and syatem has fault that says cert "status unknown", then no need to open a TAC service request.

Apart from using third party certificate, there is no work around to suppress the fault.

You can safely ignore the alert.

We have fixed the issue where status will be displayed correctly for self-signed certs and would not generate the fault.

The next patch release 2.1.2b will have this fix. I do not have ETA but should be out soon.

I will update the thread once I have additional information.

Thanks for your patience

Padma

New Member

default Keyring's certificate is invalid, reason: unknown

Thank you Padma, for saying this even more eloquently than I was about to.

Thanks.

-Bruce

Cisco Employee

default Keyring's certificate is invalid, reason: unknown

Hello,

The issue is fixed in UCSM 2.1.2c and above version.

http://www.cisco.com/en/US/docs/unified_computing/ucs/release/notes/UCS_28313.html#wp200273

Padma

5258
Views
15
Helpful
19
Replies