Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

UCSM 2.0(3b) - Keyring Bug

I have done a few upgrades/installs of 2.0(3b) over the last 7-10 days, and each and every time the installation of this version expires the default keyring and it needs to be regenerated via the CLI.

I noticed this wasn't in the known open caveats so wanted to highlight this here.

Everyone's tags (4)
Cisco Employee

UCSM 2.0(3b) - Keyring Bug


Can you please get me the output of:

scope security

show keyring default detail

There is an open bug on that version that shows the SSL cert validity to be one month (not 7-10 days).  Once we confirm if this is the issue you're seeing I'll request you to open a TAC SR so we can attach the bug and track for you.



New Member

UCSM 2.0(3b) - Keyring Bug

Hi Robert,

Sorry for the delay in replying. Do you need the output from a system exhibiting the issue or can it be from one that has had the keyring regenerated?

I've fixed most of the installations/upgrades I've done as I don't like to leave with any errors showing. If it needs to be exhibiting the error I can recreate this in our lab tomorrow.

Many thanks,


Cisco Employee

UCSM 2.0(3b) - Keyring Bug

I'd need the output from a "problem system" to identify the bug.  You're applying the correct work around it sounds like so unless its a task to get the output you can just fix it. 

The issue has to do with the default expiration date on the system cert.  Regenerating is is the correct fix.  This will be permanently fixed in future releases also.



Cisco Employee

UCSM 2.0(3b) - Keyring Bug

Hello Jason,

To add further, you want to check the validity of the certificate before starting the upgrade.

In earlier releases, system does not raise an alert when the certificate has expired.

It is fixed in 2.0.3a and above. So it might look like upgrade is generating an alert but really the fixed code is generating alert for an expired certificate that existed before the upgrade.