Automatically Update CA Bundles
You can set the management center to automatically update the CA certificates through CLI commands. By default, the CA certificates are automatically updated when you install or upgrade to version 7.0.5.
Note | In an IPv6-only deployment, the automatic update of CA certificates may fail, because, some of the Cisco servers do not support IPv6. In such cases, force update the CA certificates using the configure cert-update run-now force command. |
Procedure
Step 1 | Log into the FMC CLI using SSH, or, if virtual, open the VM console. |
Step 2 | You can verify whether the CA certificates in the local system are the latest or not: configure cert-update test This command compares the CA bundle on the local system with the latest CA bundle (from the Cisco server). If the CA bundle is up to date, no connection check is executed and the test result is displayed as the one below: Example:If the CA bundle is out of date, the connection check is executed on the downloaded CA bundle and the test result is displayed. Example:Example: |
Step 3 | (Optional) To instantly update the CA bundles: configure cert-update run-now Example:When you execute this command, the CA certificates (from the Cisco server) are verified for SSL connectivity. If the SSL connectivity check fails for even one of the Cisco servers, the process is terminated. Example:To proceed with the update despite connection failures, use the force keyword. Example: |
Step 4 | If you do not want the CA bundles to be automatically updated, disable the configuration: configure cert-update auto-update disable Example: |
Step 5 | To re-enable the automatic update of CA bundles: configure cert-update auto-update enable Example:When you enable the automatic update on the CA certificates, the update process is executed daily at a system-defined time. |
Step 6 | (Optional) View the status of automatic update of CA certificates: show cert-update Example: |