IOS Self-Signed Certificate issue can affect wired redirects

You may or may not have seen the notice released from Cisco titled IOS Self-Signed Certificate Expiration on Jan. 1, 2020 but it is an important one. The intro sums it up:

At 00:00 on 1 Jan 2020 UTC, all Self-Signed Certificates (SSC) that were generated on IOS/IOS-XE systems will expire, unless the system was running a fixed version of IOS/IOS-XE when the SSC was generated.  After that time, unfixed IOS systems will be unable to generate new SSCs.  Any service that relies on these self-signed certificates to establish or terminate a secure connection might not work after the certificate expires.

One of the services affected is the switch HTTPS server. Originally, we utilized the HTTPS server for redirection (guest or posture) of HTTPS traffic. I haven’t utilized HTTPS redirection in a while since I stopped including that in my configs (see my previous article).

The solution is to upgrade IOS/IOS XE to a version with the bug fixed.

  • Cisco IOS Software Release 15.6(3)M7 and later; 15.7(3)M5 and later; or 15.8(3)M3 and later
  • Cisco IOS XE Software Release 16.9.1 and later

There are three workarounds listed in the Cisco article if a software upgrade isn’t an immediate option.

  1. Obtain a valid certificate from a 3rd part Certificate Authority (CA)
  2. Use the IOS CA Server to generate a new certificate
  3. Use OpenSSL to generate a new self-signed certificate

Another option to look at is to stop redirecting HTTPS traffic. The client would then not be required to be proxied through the switch HTTPS server at all and it’s one less thing you have to enable on the switch.

Share this post:

Leave a Reply

Your email address will not be published.