New Root Certificate Authority for Cisco Webex Services from March 2021
March 2021 Cisco Webex Root CA Certificate Update
Starting in March 2021, Cisco Webex will be moving to a new Certificate Authority, IdenTrust Commercial Root CA 1. Customers using Expressway to dial into Webex meetings, or one of the connectors that leverages Expressway, must upload the new certificate to their Expressway devices before March 31, 2021.
In general, this change will be transparent and require no action from customers.
You must take action if:
- You are using Endpoints to connect to the Cisco Webex Video Platform through a Video Communication Server (VCS)-Expressway or Expressway Edge you must add the new certificate into the Trusted Root Store of the VCS or Expressway.
- You are using a Connector or Hybrid Service on a VCS-Control or Expressway Core and have not opted into Cloud Certificate Management, you must add the new certificate into the Trusted Root Store of the VCS.
- March 23, 2021 update: Customers that leverage Cloud Certificate Management will not see the new IdenTrust certificate in their list of certificates currently. The existing Quovadis (O=QuoVadis Limited, CN=QuoVadis Root CA 2) certificate is still valid. The IdenTrust certificate will become available to Cloud Certificate Management at a future TBD time. Customers utilizing Cloud Certificate Management will not experience any service interruptions as a result of this announcement and don't need to take any actions at this time.
- You are using Cisco Webex Edge Audio through a VCS-Expressway, or Expressway Edge you must add the certificate into the trusted root store of the VCS or Expressway.
- You have restricted access to URLs for checking Certificate revocation lists, you must allow Webex clients to reach the Certificate Revocation List hosted at http://validation.identrust.com/crl/hydrantidcao1.crl
- We have also added *.identrust.com into the list of URLs that must be allowed for certificate verification.
- You are not using the default Certificate Trust Stores for your operating systems, you must add the certificate into your trusted root store. This certificate is contained within the default trust store of all major operating systems by default.
To upload the new certificate onto a VCS-Control, VCS-Expressway, Expressway Core, and Expressway Edge:
- Download the IdenTrust Commercial Root CA 1 here and save it as identrust_RootCA1.pem
- On all your Expressway devices, navigate to Maintenance > Security > Trusted CA Certificate
- Browse > Upload the identrust_RootCA1.pem > Append CA Certificate
- Verify the certificate successfully uploaded and is present in the VCS Expressway Trust Store