Symptom
The maximum lifetime of self-signed cert is 00:00:00 UTC Jan 1 2020
Attempting to generate a self-signed IOS/IOS-XE Cert before this date sets the Validity Date End at 00:00:00 UTC Jan 1 2020 or Dec 31 2019
Attempting to generate a self-signed IOS/IOS-XE Cert after this date results in the error:
002715: .Jan 1 10:12:12.351: ../cert-c/source/certobj.c(535) : E_VALIDITY : validity period start later than end
Conditions
IOS/IOS-XE PKI Self-Signed Certificate
Workaround
1. Upgrade to a fixed release.
2. Use 3rd party CA to sign and issue the certificate.
3. Use the IOS CA Server hosted locally to sign the certificate
4. Use openssl to generate a PKCS12 to import with the following command:
Base64:
openssl req -newkey rsa:2048 -nodes -keyout tmp.key -x509 -days 5000 -out tmp.cer -subj "/CN=SelfSignedCert" && openssl pkcs12 -export -in tmp.cer -inkey tmp.key -out tmp.bin -passout pass:Cisco123 && openssl base64 -in tmp.bin && rm tmp.bin tmp.key tmp.cer
PKCS12 PFX:
openssl req -newkey rsa:2048 -nodes -keyout tmp.key -x509 -days 5000 -out tmp.cer -subj "/CN=SelfSignedCert" && openssl pkcs12 -export -in tmp.cer -inkey tmp.key -out tmp.bin -passout pass:Cisco123 && openssl pkcs12 -export -out certificate.pfx -password pass:Cisco123 -inkey tmp.key -in tmp.cer && rm tmp.bin tmp.key tmp.cer
Further Problem Description
Further details on the impact of this defect are available in the following Field Notice:
https://www.cisco.com/c/en/us/support/docs/field-notices/704/fn70489.html
