Hello,
how can i revoke a modem certificate on Cisco UBR?
There is an issue with AVM routers. More infos: Heise Newsticker (sorry, only german speaking)
At the moment there are modem with this bad cert on my CMTS. How can i reject these bad modems?
##### This is the bad cert ##################
CMTS#sh cable privacy manufacturer-cert-list
Cable Manufacturer Certificates:
Issuer: cn=Euro-DOCSIS Cable Modem Root CA,ou=Cable Modems,o=tComLabs - Euro-DOCSIS,c=BE
Subject: cn=AVM GmbH Cable Modem Root Certificate Authority,ou=Germany,ou=Euro-DOCSIS,o=AVM GmbH,l=Berlin,st=Berlin,c=DE
State: Chained
Source: Auth Info
RowStatus: Active
Serial: 18D93D04728FCE2FBAA781A81F926A43
Thumbprint: 3041FF97FC767C0112A00F4E39607A15368F004A
##### This is the bad cert ##################
Configure a hotlist for the Manufacturer Certificate:
configure terminal
cable privacy hotlist manufacturer 18D93D04728FCE2FBAA781A81F926A43
After that you can check the status of the Manufacturer Certificate and the State should be Untrusted:
show cable privacy manufacturer-cert-list
.
.
.
Issuer: cn=Euro-DOCSIS Cable Modem Root CA,ou=Cable Modems,o=tComLabs - Euro-DOCSIS,c=BE
Subject: cn=AVM GmbH Cable Modem Root Certificate Authority,ou=Germany,ou=Euro-DOCSIS,o=AVM GmbH,l=Berlin,st=Berlin,c=DE
State: Untrusted
Source: Auth Info
RowStatus: Active
Serial: 18D93D04728FCE2FBAA781A81F926A43
Thumbprint: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
Please notice that the configuration of the hotlist will not be listed during a show running-config. You can only check the State.
Other solutions are SNMP or OSCP with CRL but these solutions out of the scope of this answer
Finally there is a site available from Excentis how to revoke the Mfg Certificate on a CMTS:
https://www.excentis.com/testing/certification/programs/eurodocsis/digit...
This site will also include some python scripts for the cert stuff.
Has someone already found a way to revoke the avm certificate with ubr running 122-33.SCI3 or later release?
configure terminal
cable privacy hotlist manufacturer 18D93D04728FCE2FBAA781A81F926A43
release notes:
"This procedure is not supported on the Cisco uBR10012 router running Cisco IOS releases prior to Cisco IOS release 12.3(23)BC9, Cisco IOS release 12.2(33)SCB5, and Cisco IOS Release12.2(33)SCC and later releases. "
edit: cli or snmp, in either case it does not work
The problem with the hotlist command is that it's not persistent after reboot and you have to reconfigure after the reboot but SNMP should working.
So for a long term solution you should revoke via SNMP. The setting should be persistent after reboots and Down- or Upgrades.
Are you sure that SNMP is not working?
What error messages did you received when you tried revoke the certificate via SNMP?
Do you read the full article from Excentis? It holds all necessary informations.
In theory Cisco is supporting OCSP but OCSP is optional in the specification. Currently there is no CRL file available anyway.
Thank you wittman. The snmp solution seems to work.