News & Comment: Cisco let an SSL cert expire in its VPN kit – and broke network provisioning brokers

Cisco let an SSL cert expire in its VPN kit – and broke network provisioning brokers

Well that’s one way to secure systems: deny new trustpoints




Ashish Pala, principal security architect at Venafi:

“We’ve seen a lot of problems when a closed PKI system is used to secure communication between device components. The problem is that a trusted and secure connection is a fundamental requirement, but if the certificate used to secure that connection expires there are going to be all kinds of serious communication problems.

Even large firms with significant investments in PKI tend to have these problems and, unfortunately, this is what appears to have caught Cisco out.  Hopefully, this will set alarm bells ringing for other vendors in the industry that don’t have PKI automation in place.”


Faisal Razzak, senior security engineer at Venafi:

“Every business communicates via encrypted tunnels so they can transfer sensitive information over public Internet. To guard these tunnels we need gate keeping devices like VPNs from vendors like Cisco. When a certificate expires in these devices that invalidates the identity of these gate keepers  and two really bad can things happen. The first is that business communication stops leading to monetary losses and other serious business problems – pretty terrible. The second is that sensitive information is transmitted unencypted over public Internet, which is even worse.

The only way businesses can keep these channels open and secure is to have an automated process that manages the certificates used to guarantee trust on these gate keeping devices.”