Is anyone familiar with PKI certificates? We received a notice from our coaxial network operator that we need to verify our PKI certificates on our cable modems, because they expire in Sept 2021. I am reading the CableLabs info, but wondering if anyone has had experience with these in the past.
Thanks
The real solution, is to get firmware signed by an updated certificate, from the modem manufacturer. However, for older modems that is unlikely/impossible to happen.
You will need to check with your CMTS vendor, but likely, an exception will need to be made to trust expired certs/not check if they are expired.
Casa is implementing it like so:
no cable privacy valid-period-check
which will not check if the certificate is still valid, but will still authorize against it.
on casa cmts 10g there is no option:
"no cable privacy valid-period-check"
on which casa cmts / soft do you use this?
As far as I know the cli command "[code]no cable privace valid-period-check[/code]" per MAC-Domain Interface was introduced with Software Release 8.x.x.x onwards. Since Software Release 8.x.x.x the cli command in the configuration will make this setting non-volatile for reboots.
But the C10G is not supported by Software Release 8.x.x.x.
If I remember correct, there is a volatile workaround possible: You have to disable the Validity Check via the BPI-SNMP-MIBs. However, this is a volatile setting und only lasts until the next reboot. So after a reboot of the C10G chassis you have to disable the Validity Check again.
[quote]
DOCS-IETF-BPI2-MIB::docsBpi2CmtsCheckCertValidityPeriods (.1.3.6.1.2.1.126.1.2.1.1.4)
Setting this object to 'true' causes all chained and
root certificates in the chain to have their validity
periods checked against the current time of day, when
the CMTS receives an Authorization Request from the
CM.
A 'false' setting causes all certificates in the chain
not to have their validity periods checked against the
current time of day.
This object need not persist after re-initialization
of the managed system.
Enumerations:
1 - true
2 - false
[/quote]
So, for e.g. interface docsis-mac 1 (ifIndex.id is 2000001) you have to set the value to false:
[code]snmpset -v2c -c private .1.3.6.1.2.1.126.1.2.1.1.4.2000001 i 2[/code]
Hope this will help you!
We stumbled over this as well.
We're using this chance to get rid of oldish D2.0 and 8x4 D3.0 modems.
One vendor sent us a firmware update to extend the lifetime of its modems.
But the other modems just are victim to planned obsolescence.
For Cisco ubr you might want to try this command under EACH mac-domain:
interface Cable x/y/z
cable privacy skip-validity-period
I doubt the CMTS vendor will add that to their config, but good to know. How difficult is it to get the firmware from the manufacturer, say for an Arris TM822G, any tips on where/who to ask?
That particular modem has firmware that updates the certificate
Edit to reflect Docsis/Euro-Docsis
you need at least
9.1.103S5AN (for Regular Docsis)
9.1.103S5AR (for Euro-Docsis)
edit: you also need at least 7.5.50A installed on the modem before you can upgrade to latest release.
TM822 TS070550A_070412 (TS 7.5.50A)
The correct place to get firmware updates is from the modem manufacturer Arris (Commscope) you should contact Arris to gain access.
Here is the blurb from the release notes:
Added in TS 9.1.103S5AN
Manufacturer Device Certificate (PD 62965)
This firmware release introduces a newly extended DOCSIS Cable Modem Device
Manufacturer CA Certificate. The newly reissued CA Certificate is built into this release
of firmware and expires on 7/10/2041. The use of this newly reissued CA Certificate is
automatic and will be used in all CMTS communications after the firmware upgrade.
Edit:
Added in TS 9.1.103S5AR
Manufacturer Device Certificate (PD 77624)
This firmware release introduces a newly extended EURO DOCSIS Cable Modem
Device Manufacturer CA Certificate. The newly reissued CA Certificate is built into this
release of firmware and expires on 7/10/2041. The use of this newly reissued CA
Certificate is automatic and will be used in all CMTS communications after the firmware
upgrade.
Version S5AN will not work with Cisco CMTS
Only ver S5AR will solve the issue with Cisco CMTS
kwesibrunee, do you have access to version TS 9.1.103S5AN and/or AR version and able to share it with me? email is farewell4950@yahoo.com
This command worked well for us we use Cisco Ubr10k Thanks
How to you view the certificate information?
eg
See a list of manufacturer certs currently active on this CMTS
show cable privacy manufacturer-cert-list
and see the certificate from the CM
snmpget -v2c -c $COMMUNITY $CM_IP DOCS-BPI2-MIB::docsBpi2CmDeviceManufCert.2 | sed -e 's/DOCS.*Hex-STRING: //' | xxd -r -ps | openssl x509 -inform DER -text
snmpget -v2c -c $COMMUNITY $CM_IP DOCS-IETF-BPI2-MIB::docsBpi2CmDeviceManufCert.2 | sed -e 's/DOCS.*Hex-STRING: //' | xxd -r -ps | openssl x509 -inform DER -text
I tried above on a few modems, and yes I see older D2.0 and some 8x4 D3.0 expire Jul or Sep 2021
eg
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
45:52:9c:26:54:79:7e:16:23:c6:e7:23:18:0a:9e:9c
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Data Over Cable Service Interface Specifications, OU=Cable Modems, CN=DOCSIS Cable Modem Root Certificate Authority
Validity
Not Before: Sep 12 00:00:00 2001 GMT
Not After : Sep 11 23:59:59 2021 GMT
Subject: C=US, O=Arris Interactive, L.L.C., OU=DOCSIS, OU=Suwanee, Georgia, CN=Arris Cable Modem Root Certificate Authority
If the certificate expires, what happens :
* firmware upgrades no longer work?
and/or
* BPI stops working (registration rejected)?
There is a FAQ found here: https://www.cablelabs.com/dpkinfo
long story short if the docsis root cert expires or is not valid (cert revoke list) modems that are chained to it can not register. I don't believe this is dependent on BPI.
1) When the time comes the certificate no longer is valid three scenarios may happen:
a) A modem currently registered on the CMTS with enabled privacy (eg. BPI enabled) will stay (w-)online(pt) indefinitely.
b) A modem with enabled privacy cannot successfully register after the validity date on the CMTS. So a reboot of modem a) is not possible. I will go into reject(pk)
c) A modem without privacy (BPI) still can register.
Hi
Has anyone tested the behavior in lab by putting the cmts and cable modem and dhcp etc... in 2022
Just to prove the theory that the cisco skip-validity-period command works
And prove that if bpi is not enabled than the modems continue working
thanks
Patrick
Hi
So I tested the cisco workaround
Router#scm
D
MAC Address IP Address I/F MAC Prim RxPwr Timing Num I
State Sid (dBmv) Offset CPE P
0015.a4ce.a61d 10.65.0.6 C3/0/U0 online(pt) 1 -0.50 2864 0 N
0015.cf65.f04f 10.65.0.9 C3/0/U0 online(pt) 2 -0.50 2869 0 N
Router#show clock
*16:29:20.569 est Fri Jan 22 2021
Router#clock set 16:29:00 Jan 22 2022
Router#clear cable modem all reset
Router#show clock
.16:29:13.960 est Sat Jan 22 2022
Router#scm
D
MAC Address IP Address I/F MAC Prim RxPwr Timing Num I
State Sid (dBmv) Offset CPE P
0015.a4ce.a61d 10.65.0.6 C3/0/U0 reject(pk) 1 -0.50 2868 0 N
0015.cf65.f04f 10.65.0.9 C3/0/U0 reject(pk) 2 -1.00 2874 0 N
Router(config)#int c3/0
Router(config-if)#cable privacy skip-validity-period
Router#clear cable modem all reset
Router#scm
D
MAC Address IP Address I/F MAC Prim RxPwr Timing Num I
State Sid (dBmv) Offset CPE P
0015.a4ce.a61d 10.65.0.6 C3/0/U0 online(pt) 1 -0.50 2867 0 N
0015.cf65.f04f 10.65.0.9 C3/0/U0 online(pt) 2 -1.00 2877 0 N
Router#show clock
.16:36:01.340 est Sat Jan 22 2022
So
the modems are online when the clock is 2021
if I put the CMTS clock in 2022 and reset the modems they come back in reject
if I put skip-validation config and reset the modem they come back online
I think this is a good proof
You may also want to test the other option, assuming Cisco is same as Casa implementation....
the skip-validity-check disables checking all certs even valid ones...
Adding the cert in question in as a trusted certificate bypasses the validity check for just the trusted cert and full checks for all non trusted certs.
You may also want to test the other option, assuming Cisco is same as Casa implementation....
the skip-validity-check disables checking all certs even valid ones...
Adding the cert in question in as a trusted certificate bypasses the validity check for just the trusted cert and full checks for all non trusted certs.
I tried this.
Adding an old, ran-out certificate as a trusted certificate did not work for me. The affected modems still came up with reject(pk).
Only the method using "skip-validity-period" brought back the modems to w-online(pt).
Since you anyways want the old modems to stay online after certificate validity time, I don't see an issue here to just ignore the validity time of all certificates.
Technically BPI continues to operate.
For once, I choose to cross-port from another thread as it seems to be a hot topic and this thread seems to have more hits, so hopefully it helps someone.
In Motorola BSR2000, you can disable the PKI cert checking by doing this:
configure
interface cable 0/0
cable privacy cert valid false
end
write memory
Make sure the time is correct on the CMTS and the time server.
Reboot the modems that are stuck (reject(pk) or reject(pt)).
/Fredrik
After Sep 11, we had various Arris D3.0 modems not working on uBR10K CMTS.
eg TM722G, CM820A, CM820B, TM802G, TM822G, TM852G.
The modems had already been updated to the 9.1.103S5AR firmware.
The manuf cert on the modems expires 2041.
Same modems working fine on cBR8 CMTS.
We are having the same problem with our Arris D3.0 modems on 9.1.103S5AR as of 9-11-2021. SNMP walking for the cert on the modem shows it's valid from 010912000000Z to 410911235959Z. Our CMTS is a Cisco uBR7246VXR (MC88V linecards) running IOS 12.2(33)SCI. Kind of wonder if some root CA or chain on the CMTS was only valid until 9-11-2021 and can't validate the newer cert these modems are using? For now we've added "cable privacy skip-validity-period" to all of our interfaces which has allowed the modems to come online as "w-online(pt)". Not ideal but it is what it is until we can figure something better out.
We stumbled over a similar issue.
The problem is: the CMTS installs both - the old and the new CA.
But it keeps using the old CA, thus throwing an "CM Certificate Invalid Signature" error. (show cable modem [mac] privacy verbose).
When I reboot the CMTS, the old CA vanishes and the modems will come online even without "cable privacy skip-validity-period".
This solution is not desirable, because:
- a large number of customers will be affected by this downtime
- any old modem will make the CMTS learn the old certificate again.
Does anyone know of a solution which will permanentely delete the old CA or will prevent from being installed into the CMTS?