Is anyone familiar with PKI certificates? We received a notice from our coaxial network operator that we need to verify our PKI certificates on our cable modems, because they expire in Sept 2021. I am reading the CableLabs info, but wondering if anyone has had experience with these in the past.
Thanks
The real solution, is to get firmware signed by an updated certificate, from the modem manufacturer. However, for older modems that is unlikely/impossible to happen.
You will need to check with your CMTS vendor, but likely, an exception will need to be made to trust expired certs/not check if they are expired.
Casa is implementing it like so:
no cable privacy valid-period-check
which will not check if the certificate is still valid, but will still authorize against it.
We stumbled over this as well.
We're using this chance to get rid of oldish D2.0 and 8x4 D3.0 modems.
One vendor sent us a firmware update to extend the lifetime of its modems.
But the other modems just are victim to planned obsolescence.
For Cisco ubr you might want to try this command under EACH mac-domain:
interface Cable x/y/z
cable privacy skip-validity-period
I doubt the CMTS vendor will add that to their config, but good to know. How difficult is it to get the firmware from the manufacturer, say for an Arris TM822G, any tips on where/who to ask?
That particular modem has firmware that updates the certificate
Edit to reflect Docsis/Euro-Docsis
you need at least
9.1.103S5AN (for Regular Docsis)
9.1.103S5AR (for Euro-Docsis)
edit: you also need at least 7.5.50A installed on the modem before you can upgrade to latest release.
TM822 TS070550A_070412 (TS 7.5.50A)
The correct place to get firmware updates is from the modem manufacturer Arris (Commscope) you should contact Arris to gain access.
Here is the blurb from the release notes:
Added in TS 9.1.103S5AN
Manufacturer Device Certificate (PD 62965)
This firmware release introduces a newly extended DOCSIS Cable Modem Device
Manufacturer CA Certificate. The newly reissued CA Certificate is built into this release
of firmware and expires on 7/10/2041. The use of this newly reissued CA Certificate is
automatic and will be used in all CMTS communications after the firmware upgrade.
Edit:
Added in TS 9.1.103S5AR
Manufacturer Device Certificate (PD 77624)
This firmware release introduces a newly extended EURO DOCSIS Cable Modem
Device Manufacturer CA Certificate. The newly reissued CA Certificate is built into this
release of firmware and expires on 7/10/2041. The use of this newly reissued CA
Certificate is automatic and will be used in all CMTS communications after the firmware
upgrade.
Version S5AN will not work with Cisco CMTS
Only ver S5AR will solve the issue with Cisco CMTS
kwesibrunee, do you have access to version TS 9.1.103S5AN and/or AR version and able to share it with me? email is farewell4950@yahoo.com
How to you view the certificate information?
eg
See a list of manufacturer certs currently active on this CMTS
show cable privacy manufacturer-cert-list
and see the certificate from the CM
snmpget -v2c -c $COMMUNITY $CM_IP DOCS-BPI2-MIB::docsBpi2CmDeviceManufCert.2 | sed -e 's/DOCS.*Hex-STRING: //' | xxd -r -ps | openssl x509 -inform DER -text
snmpget -v2c -c $COMMUNITY $CM_IP DOCS-IETF-BPI2-MIB::docsBpi2CmDeviceManufCert.2 | sed -e 's/DOCS.*Hex-STRING: //' | xxd -r -ps | openssl x509 -inform DER -text
I tried above on a few modems, and yes I see older D2.0 and some 8x4 D3.0 expire Jul or Sep 2021
eg
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
45:52:9c:26:54:79:7e:16:23:c6:e7:23:18:0a:9e:9c
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Data Over Cable Service Interface Specifications, OU=Cable Modems, CN=DOCSIS Cable Modem Root Certificate Authority
Validity
Not Before: Sep 12 00:00:00 2001 GMT
Not After : Sep 11 23:59:59 2021 GMT
Subject: C=US, O=Arris Interactive, L.L.C., OU=DOCSIS, OU=Suwanee, Georgia, CN=Arris Cable Modem Root Certificate Authority
If the certificate expires, what happens :
* firmware upgrades no longer work?
and/or
* BPI stops working (registration rejected)?
There is a FAQ found here: https://www.cablelabs.com/dpkinfo
long story short if the docsis root cert expires or is not valid (cert revoke list) modems that are chained to it can not register. I don't believe this is dependent on BPI.
1) When the time comes the certificate no longer is valid three scenarios may happen:
a) A modem currently registered on the CMTS with enabled privacy (eg. BPI enabled) will stay (w-)online(pt) indefinitely.
b) A modem with enabled privacy cannot successfully register after the validity date on the CMTS. So a reboot of modem a) is not possible. I will go into reject(pk)
c) A modem without privacy (BPI) still can register.