Old QuoVadis certificate issue starting to break Cisco products

The decommissioning of a root certificate is causing growing challenges for Cisco - and enterprise shops using the company’s product.

On March 31 2021, a QuoVadis root certificate authority, PKI Root CA 2, was decommissioned, and it is impacting a large number of hardware and software products from the networking giant.

Since mid-February, the company has been issuing field notices telling users they need to upgrade or replace systems.

“Many Cisco products and public-facing services are transitioning from a QuoVadis Public Key Infrastructure (PKI) Certificate Authority (CA) to a CA provided by IdenTrust,” Cisco explains.

The products and software need a working root CA because they use Transport Layer Security (TLS) or the deprecated Secure Sockets Layer (SSL) to secure connections to services like Cisco Smart Licensing and Smart Call Home.

The knock-on effects are extensive, with collaboration, data centre, enterprise networking, Internet of Things, security, service provider, and small business product lines identified as needing attention.

Three of those products are out of service, and will have to be replaced. These include two lines of Cisco phone (the SPA5xx and CP-8831 ranges), and a small business VoIP adapter (the SPA112/122 range).

In those cases, the devices depend on the expiring certificates to establish SIP or HTTPS connections.

The Smart Licensing and Smart Call Home failures hit the company’s Nexus data centre switches, its IOS XE and Converged Broadband Router enterprise software, and some versions of the Identity Services Engine.

A full explanation of why the certificate was decommissioned is provided by DigiCert, which operates the QuoVadis infrastructure, here.