Revoke a Certificate | docsis.org

You are here

HomeForumsDocsis chat

Revoke a Certificate

6 posts / 0 new
Log in or register to post comments
Last post
Fri, 11/11/2016 - 10:23
#1
Paul
Revoke a Certificate

Hello,

how can i revoke a modem certificate on Cisco UBR?

There is an issue with AVM routers. More infos: Heise Newsticker (sorry, only german speaking)

At the moment there are modem with this bad cert on my CMTS. How can i reject these bad modems?

##### This is the bad cert ##################

CMTS#sh cable privacy manufacturer-cert-list
Cable Manufacturer Certificates:

Issuer: cn=Euro-DOCSIS Cable Modem Root CA,ou=Cable Modems,o=tComLabs - Euro-DOCSIS,c=BE
Subject: cn=AVM GmbH Cable Modem Root Certificate Authority,ou=Germany,ou=Euro-DOCSIS,o=AVM GmbH,l=Berlin,st=Berlin,c=DE
State: Chained
Source: Auth Info
RowStatus: Active
Serial: 18D93D04728FCE2FBAA781A81F926A43
Thumbprint: 3041FF97FC767C0112A00F4E39607A15368F004A

##### This is the bad cert ##################

Top
Mon, 11/14/2016 - 22:33
wittmann
Quick & Dirty Solution

Configure a hotlist for the Manufacturer Certificate:


configure terminal
cable privacy hotlist manufacturer 18D93D04728FCE2FBAA781A81F926A43

After that you can check the status of the Manufacturer Certificate and the State should be Untrusted:


show cable privacy manufacturer-cert-list
.
.
.
Issuer: cn=Euro-DOCSIS Cable Modem Root CA,ou=Cable Modems,o=tComLabs - Euro-DOCSIS,c=BE
Subject: cn=AVM GmbH Cable Modem Root Certificate Authority,ou=Germany,ou=Euro-DOCSIS,o=AVM GmbH,l=Berlin,st=Berlin,c=DE
State: Untrusted
Source: Auth Info
RowStatus: Active
Serial: 18D93D04728FCE2FBAA781A81F926A43
Thumbprint: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709

Please notice that the configuration of the hotlist will not be listed during a show running-config. You can only check the State.

Other solutions are SNMP or OSCP with CRL but these solutions out of the scope of this answer

Top
Fri, 11/18/2016 - 06:20
wittmann
How-To from Excentis

Finally there is a site available from Excentis how to revoke the Mfg Certificate on a CMTS:

https://www.excentis.com/testing/certification/programs/eurodocsis/digit...

This site will also include some python scripts for the cert stuff.

Top
Tue, 11/29/2016 - 03:27
cable guy
headache caused by ubr

Has someone already found a way to revoke the avm certificate with ubr running 122-33.SCI3 or later release?

configure terminal
cable privacy hotlist manufacturer 18D93D04728FCE2FBAA781A81F926A43

release notes:

"This procedure is not supported on the Cisco uBR10012 router running Cisco IOS releases prior to Cisco IOS release 12.3(23)BC9, Cisco IOS release 12.2(33)SCB5, and Cisco IOS Release12.2(33)SCC and later releases. "

edit: cli or snmp, in either case it does not work

Top
Thu, 12/01/2016 - 23:56
(Reply to #4)
wittmann
Hotlist configuration is a Quick and Dirty solution

The problem with the hotlist command is that it's not persistent after reboot and you have to reconfigure after the reboot but SNMP should working.

So for a long term solution you should revoke via SNMP. The setting should be persistent after reboots and Down- or Upgrades.

Are you sure that SNMP is not working?

What error messages did you received when you tried revoke the certificate via SNMP?

Do you read the full article from Excentis? It holds all necessary informations.

In theory Cisco is supporting OCSP but OCSP is optional in the specification. Currently there is no CRL file available anyway.

Top
Wed, 12/07/2016 - 02:40
(Reply to #5)
cable guy
snmp works

Thank you wittman. The snmp solution seems to work.

Top
Log in or register to post comments