Is anyone familiar with PKI certificates? We received a notice from our coaxial network operator that we need to verify our PKI certificates on our cable modems, because they expire in Sept 2021. I am reading the CableLabs info, but wondering if anyone has had experience with these in the past.
Thanks
The real solution, is to get firmware signed by an updated certificate, from the modem manufacturer. However, for older modems that is unlikely/impossible to happen.
You will need to check with your CMTS vendor, but likely, an exception will need to be made to trust expired certs/not check if they are expired.
Casa is implementing it like so:
no cable privacy valid-period-check
which will not check if the certificate is still valid, but will still authorize against it.
We stumbled over this as well.
We're using this chance to get rid of oldish D2.0 and 8x4 D3.0 modems.
One vendor sent us a firmware update to extend the lifetime of its modems.
But the other modems just are victim to planned obsolescence.
For Cisco ubr you might want to try this command under EACH mac-domain:
interface Cable x/y/z
cable privacy skip-validity-period
I doubt the CMTS vendor will add that to their config, but good to know. How difficult is it to get the firmware from the manufacturer, say for an Arris TM822G, any tips on where/who to ask?
That particular modem has firmware that updates the certificate
Edit to reflect Docsis/Euro-Docsis
you need at least
9.1.103S5AN (for Regular Docsis)
9.1.103S5AR (for Euro-Docsis)
edit: you also need at least 7.5.50A installed on the modem before you can upgrade to latest release.
TM822 TS070550A_070412 (TS 7.5.50A)
The correct place to get firmware updates is from the modem manufacturer Arris (Commscope) you should contact Arris to gain access.
Here is the blurb from the release notes:
Added in TS 9.1.103S5AN
Manufacturer Device Certificate (PD 62965)
This firmware release introduces a newly extended DOCSIS Cable Modem Device
Manufacturer CA Certificate. The newly reissued CA Certificate is built into this release
of firmware and expires on 7/10/2041. The use of this newly reissued CA Certificate is
automatic and will be used in all CMTS communications after the firmware upgrade.
Edit:
Added in TS 9.1.103S5AR
Manufacturer Device Certificate (PD 77624)
This firmware release introduces a newly extended EURO DOCSIS Cable Modem
Device Manufacturer CA Certificate. The newly reissued CA Certificate is built into this
release of firmware and expires on 7/10/2041. The use of this newly reissued CA
Certificate is automatic and will be used in all CMTS communications after the firmware
upgrade.
Version S5AN will not work with Cisco CMTS
Only ver S5AR will solve the issue with Cisco CMTS
kwesibrunee, do you have access to version TS 9.1.103S5AN and/or AR version and able to share it with me? email is farewell4950@yahoo.com
How to you view the certificate information?
eg
See a list of manufacturer certs currently active on this CMTS
show cable privacy manufacturer-cert-list
and see the certificate from the CM
snmpget -v2c -c $COMMUNITY $CM_IP DOCS-BPI2-MIB::docsBpi2CmDeviceManufCert.2 | sed -e 's/DOCS.*Hex-STRING: //' | xxd -r -ps | openssl x509 -inform DER -text
snmpget -v2c -c $COMMUNITY $CM_IP DOCS-IETF-BPI2-MIB::docsBpi2CmDeviceManufCert.2 | sed -e 's/DOCS.*Hex-STRING: //' | xxd -r -ps | openssl x509 -inform DER -text
I tried above on a few modems, and yes I see older D2.0 and some 8x4 D3.0 expire Jul or Sep 2021
eg
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
45:52:9c:26:54:79:7e:16:23:c6:e7:23:18:0a:9e:9c
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Data Over Cable Service Interface Specifications, OU=Cable Modems, CN=DOCSIS Cable Modem Root Certificate Authority
Validity
Not Before: Sep 12 00:00:00 2001 GMT
Not After : Sep 11 23:59:59 2021 GMT
Subject: C=US, O=Arris Interactive, L.L.C., OU=DOCSIS, OU=Suwanee, Georgia, CN=Arris Cable Modem Root Certificate Authority
If the certificate expires, what happens :
* firmware upgrades no longer work?
and/or
* BPI stops working (registration rejected)?
There is a FAQ found here: https://www.cablelabs.com/dpkinfo
long story short if the docsis root cert expires or is not valid (cert revoke list) modems that are chained to it can not register. I don't believe this is dependent on BPI.
1) When the time comes the certificate no longer is valid three scenarios may happen:
a) A modem currently registered on the CMTS with enabled privacy (eg. BPI enabled) will stay (w-)online(pt) indefinitely.
b) A modem with enabled privacy cannot successfully register after the validity date on the CMTS. So a reboot of modem a) is not possible. I will go into reject(pk)
c) A modem without privacy (BPI) still can register.
Hi
Has anyone tested the behavior in lab by putting the cmts and cable modem and dhcp etc... in 2022
Just to prove the theory that the cisco skip-validity-period command works
And prove that if bpi is not enabled than the modems continue working
thanks
Patrick
Hi
So I tested the cisco workaround
Router#scm
D
MAC Address IP Address I/F MAC Prim RxPwr Timing Num I
State Sid (dBmv) Offset CPE P
0015.a4ce.a61d 10.65.0.6 C3/0/U0 online(pt) 1 -0.50 2864 0 N
0015.cf65.f04f 10.65.0.9 C3/0/U0 online(pt) 2 -0.50 2869 0 N
Router#show clock
*16:29:20.569 est Fri Jan 22 2021
Router#clock set 16:29:00 Jan 22 2022
Router#clear cable modem all reset
Router#show clock
.16:29:13.960 est Sat Jan 22 2022
Router#scm
D
MAC Address IP Address I/F MAC Prim RxPwr Timing Num I
State Sid (dBmv) Offset CPE P
0015.a4ce.a61d 10.65.0.6 C3/0/U0 reject(pk) 1 -0.50 2868 0 N
0015.cf65.f04f 10.65.0.9 C3/0/U0 reject(pk) 2 -1.00 2874 0 N
Router(config)#int c3/0
Router(config-if)#cable privacy skip-validity-period
Router#clear cable modem all reset
Router#scm
D
MAC Address IP Address I/F MAC Prim RxPwr Timing Num I
State Sid (dBmv) Offset CPE P
0015.a4ce.a61d 10.65.0.6 C3/0/U0 online(pt) 1 -0.50 2867 0 N
0015.cf65.f04f 10.65.0.9 C3/0/U0 online(pt) 2 -1.00 2877 0 N
Router#show clock
.16:36:01.340 est Sat Jan 22 2022
So
the modems are online when the clock is 2021
if I put the CMTS clock in 2022 and reset the modems they come back in reject
if I put skip-validation config and reset the modem they come back online
I think this is a good proof
You may also want to test the other option, assuming Cisco is same as Casa implementation....
the skip-validity-check disables checking all certs even valid ones...
Adding the cert in question in as a trusted certificate bypasses the validity check for just the trusted cert and full checks for all non trusted certs.
You may also want to test the other option, assuming Cisco is same as Casa implementation....
the skip-validity-check disables checking all certs even valid ones...
Adding the cert in question in as a trusted certificate bypasses the validity check for just the trusted cert and full checks for all non trusted certs.
I tried this.
Adding an old, ran-out certificate as a trusted certificate did not work for me. The affected modems still came up with reject(pk).
Only the method using "skip-validity-period" brought back the modems to w-online(pt).
Since you anyways want the old modems to stay online after certificate validity time, I don't see an issue here to just ignore the validity time of all certificates.
Technically BPI continues to operate.
For once, I choose to cross-port from another thread as it seems to be a hot topic and this thread seems to have more hits, so hopefully it helps someone.
In Motorola BSR2000, you can disable the PKI cert checking by doing this:
configure
interface cable 0/0
cable privacy cert valid false
end
write memory
Make sure the time is correct on the CMTS and the time server.
Reboot the modems that are stuck (reject(pk) or reject(pt)).
/Fredrik