THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Migration to new field notice system
|Affected OS Type
||Affected Release Number
||Mandatory SMU SAM changeset for certificate expiration.|
||Production SMU for SAM post Oct 2015.|
On October 17, 2015, the previously implemented Code Signing Server (CSS) certificates used in classic Cisco IOS-XR will expire. These CSS certificates are used by Cisco IOS-XR software (SW) in order to verify upgrades, downgrades, Software Maintenance Upgrades (SMUs), and Packages Installation Envelope (PIEs) before installation.
AS of Oct 17, 2015 the pre-expiry SMU phase of this CSS Certificate expiration program is now complete and should no longer be used.
Post-expiry SMU's should now be used going forward.
- PIEs are nonbootable files that contain a single package or a set of packages and are used to add SW package files to a running router.
- Abraxas is the new code signing certificate that will replace the CSS certificate.
Cisco IOS-XR currently uses CSS certificates in order to sign and verify upgrades, downgrades, SMUs, and PIEs in the installation process.
Cisco IOS-XR SW, SMUs, and PIEs are signed by these certificates.
Cisco IOS-XR SW, SMUs, and PIEs are allowed to install only if the system can validate the certificate and signature carried in the SMU/PIE.
Important Note: The issue described in this Field Notice only affects select Cisco IOS-XR Classic SW (refer to: Other Considerations below). Customers that run Cisco IOS-XR NG-based SW (for example, releases that only support NCS6k) are not affected.
On October 17, 2015, the previously implemented CSS certificates used in classic Cisco IOS-XR will expire.
After the October 17, 2015 expiration date, attempts to install a new Cisco IOS-XR image, SMU, or PIE without the mandatory SMU installed first will fail.
When trying to install or add a SMU/PIE post October 17 2015, you will run into the below error due to the expiration of the CSS certificate on Oct 17, 2015.
Error: Cannot proceed with the add operation because the code signing
Error: certificate has expired.
Error: Suggested steps to resolve this:
Error: - check the system clock using 'show clock' (correct with 'clock set' if necessary).
Error: - check the pie file was built within the last 5 years using '(admin) show install pie-info
Post this expiration date, provided no new image, SMU or pie installs are required, existing customer installations will continue to operate as expected even if the customer reboots a presently installed image with existing SMUs.
Customers have two primary options to apply a SMU in order to extend the certificate expiration:
1) Post-expiry SMU + Temporary Root Certificate:
- Download the post-expiry SMU from Cisco.com, which will be available on cisco.com October 18, 2015
- Add the Temporary Root Certificate file to the target node
- Install the post-expiry SMU (signed differently than the pre-expiry SMU)
- The Temporary Root Certificate and post-expiry SMU provides a similar workaround after the October 17, 2015 CSS expiration date
If the mandatory post-expiry SMU is not installed on affected nodes, the next attempt by the customer to install SW, SMU, or PIE on those systems will fail due to the expired CSS certificate. The customer can still download and install a temporary certificate file to the target node as a workaround and then apply the mandatory post-expiry SMU.
2) Cisco IOS-XR 5.3.2 and later will support Abraxas code signing.
Refer to the "How to Install Mandatory SMUs" section for the impact chart, Method of Procedure (MOP) Install document, and SMU locations.
How to Install Mandatory SMUs
Refer to Install MOP - CSS to Abraxas Migration for MOP installation instructions.
Use this table to determine SMU availability on the different IOS-XR images and HW platforms:
The post-expiry SMUs are now available on cisco.com. From the "Download Software" landing page, click Service Provider Core Routers or Service Provider Edge Routers and drill down into the product family SMU pages in order to obtain the correct "Hitless/Recommended, Post-Expire-Cert Expiration Mandatory SAM SMU".
A full path example for a CRS 8 slot 5.2.2 download is shown here:
1. Routers > (Note: The Download Software link gets you to this location.)
2. Service Provider Core Routers >
3. Carrier Routing System >
4. CRS-X 8-Slot Single-Shelf System >
5. IOS XR Software Maintenance Upgrades (SMU)-5.2.2
- This SMU can be installed on top of a Service Pack (SP) delivered before Sept 15th 2015.
- All future SP will include the post-expiry SMU.
- When you use the Service Pack/Feature Packs in Version 4.3.4, the installation of the hitless SMU might still warrant a reload. The user is notified in the Install Manager if this is required.
NCS 4000/6000 Series (Cisco IOS-XR NG)
Releases unaffected are used in NCS 4000/6000 Series router solely, Cisco IOS-XR NG based images: 5.0.0, 5.0.1, 5.2.1, 5.2.3, 5.2.5
No action needs to be taken for these NG-based releases.
Cisco IOS-XR Releases Deployed with the CSS Certificate Workaround Integrated:
Cisco IOS-XR Releases Deployed with the Abraxas Code Signing:
5.3.2, 5.3.3, 6.0 and later
End of Life SW Versions
Customers that do not have a supportedCisco IOS-XR SW version (SW is beyond Last Day of Support) and want to upgrade will need to purchase the SW version they need and address the CSS certificates accordingly.
Frequently asked Questions (FAQs)
These questions were consolidated from customer feedback collected after the original Field Notice Announcement in June 2015.
1. If the post-expiry SMU and new root certificate are installed after the expiration date of October 17, 2015 on code such as Cisco IOS-XR 4.2.3 and then upgraded to 5.1.3, do you have to install the 5.1.3 specific post-expiry SMU or does the 4.2.3 post-expiry SMU persist?
Yes, it is mandatory to install the 5.1.3 post-expiry SMU as well AFTER you upgrade.
2. If Cisco IOS-XR 5.1.3 is turbobooted on the router after the October 17, 2015 expiration date, does the post-expiry SMU and root certificate need to be installed first before you proceed with the installation of Cisco IOS-XR 5.1.3 SMUs?
Yes, it is mandatory to install the post-expiry SMU on the router after you turboboot unless you turboboot to a release that contains the new Abraxas signing code Cisco IOS-XR 5.3.2 or later, or to Cisco IOS-XR 5.3.1 which contains the CSS certificate workaround code.
3. If a pre-expiry SMU is already installed on the router and then you upgrade to Cisco IOS-XR 5.1.3, and then you want to upgrade to 6.0.0, do you need to install the post-expiry SMU on 5.1.3 first?
Yes, unless you merely perform a turboboot to 6.0.0.
4. If you have the Service Packs for 4.3.x installed and then try to install the pre or post-expiry SMU, will it be a hitless operation?
Yes, but only if the Service Pack was installed correctly with Cisco bug ID CSCul58246 (SP version handling). The SMU is installed first before the Service Pack is installed. Otherwise, the installation of the post-expiry SMU results in a router reload.
5. In which Service Pack will the post-expiry SMU be integrated?
All Service Packs released after September 16, 2015 will have the post-expiry SMU integrated within them.
6. Where is the intermediate root certificate (IRC) located?
The IRC is included in the post-expiry SMU tar bundle.
Additional questions, can be posted/asked on the following Cisco support forum
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.