PKI Certificates | docsis.org

You are here

PKI Certificates

10 posts / 0 new
Last post
Kalium
PKI Certificates

Is anyone familiar with PKI certificates? We received a notice from our coaxial network operator that we need to verify our PKI certificates on our cable modems, because they expire in Sept 2021. I am reading the CableLabs info, but wondering if anyone has had experience with these in the past.

Thanks

kwesibrunee
Solution

The real solution, is to get firmware signed by an updated certificate, from the modem manufacturer. However, for older modems that is unlikely/impossible to happen.

You will need to check with your CMTS vendor, but likely, an exception will need to be made to trust expired certs/not check if they are expired.

Casa is implementing it like so:

no cable privacy valid-period-check

which will not check if the certificate is still valid, but will still authorize against it.

schg
We stumbled over this as well

We stumbled over this as well.
We're using this chance to get rid of oldish D2.0 and 8x4 D3.0 modems.

One vendor sent us a firmware update to extend the lifetime of its modems.
But the other modems just are victim to planned obsolescence.

For Cisco ubr you might want to try this command under EACH mac-domain:


interface Cable x/y/z
cable privacy skip-validity-period

Kalium
Vendor

I doubt the CMTS vendor will add that to their config, but good to know. How difficult is it to get the firmware from the manufacturer, say for an Arris TM822G, any tips on where/who to ask?

kwesibrunee
That particular modem has

That particular modem has firmware that updates the certificate

Edit to reflect Docsis/Euro-Docsis

you need at least
9.1.103S5AN (for Regular Docsis)
9.1.103S5AR (for Euro-Docsis)

edit: you also need at least 7.5.50A installed on the modem before you can upgrade to latest release.

TM822 TS070550A_070412 (TS 7.5.50A)

The correct place to get firmware updates is from the modem manufacturer Arris (Commscope) you should contact Arris to gain access.

Here is the blurb from the release notes:

Added in TS 9.1.103S5AN
Manufacturer Device Certificate (PD 62965)
This firmware release introduces a newly extended DOCSIS Cable Modem Device
Manufacturer CA Certificate. The newly reissued CA Certificate is built into this release
of firmware and expires on 7/10/2041. The use of this newly reissued CA Certificate is
automatic and will be used in all CMTS communications after the firmware upgrade.

Edit:
Added in TS 9.1.103S5AR
Manufacturer Device Certificate (PD 77624)
This firmware release introduces a newly extended EURO DOCSIS Cable Modem
Device Manufacturer CA Certificate. The newly reissued CA Certificate is built into this
release of firmware and expires on 7/10/2041. The use of this newly reissued CA
Certificate is automatic and will be used in all CMTS communications after the firmware
upgrade.

schg
Version S5AN will not work

Version S5AN will not work with Cisco CMTS
Only ver S5AR will solve the issue with Cisco CMTS

Kalium
Firmware

kwesibrunee, do you have access to version TS 9.1.103S5AN and/or AR version and able to share it with me? email is farewell4950@yahoo.com

mbowe
Can you provide more information

How to you view the certificate information?

eg
See a list of manufacturer certs currently active on this CMTS
show cable privacy manufacturer-cert-list

and see the certificate from the CM
snmpget -v2c -c $COMMUNITY $CM_IP DOCS-BPI2-MIB::docsBpi2CmDeviceManufCert.2 | sed -e 's/DOCS.*Hex-STRING: //' | xxd -r -ps | openssl x509 -inform DER -text
snmpget -v2c -c $COMMUNITY $CM_IP DOCS-IETF-BPI2-MIB::docsBpi2CmDeviceManufCert.2 | sed -e 's/DOCS.*Hex-STRING: //' | xxd -r -ps | openssl x509 -inform DER -text

I tried above on a few modems, and yes I see older D2.0 and some 8x4 D3.0 expire Jul or Sep 2021
eg
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
45:52:9c:26:54:79:7e:16:23:c6:e7:23:18:0a:9e:9c
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Data Over Cable Service Interface Specifications, OU=Cable Modems, CN=DOCSIS Cable Modem Root Certificate Authority
Validity
Not Before: Sep 12 00:00:00 2001 GMT
Not After : Sep 11 23:59:59 2021 GMT
Subject: C=US, O=Arris Interactive, L.L.C., OU=DOCSIS, OU=Suwanee, Georgia, CN=Arris Cable Modem Root Certificate Authority

If the certificate expires, what happens :
* firmware upgrades no longer work?
and/or
* BPI stops working (registration rejected)?

kwesibrunee
There is a FAQ found here:

There is a FAQ found here: https://www.cablelabs.com/dpkinfo

long story short if the docsis root cert expires or is not valid (cert revoke list) modems that are chained to it can not register. I don't believe this is dependent on BPI.

schg
1) When the time comes the

1) When the time comes the certificate no longer is valid three scenarios may happen:
a) A modem currently registered on the CMTS with enabled privacy (eg. BPI enabled) will stay (w-)online(pt) indefinitely.
b) A modem with enabled privacy cannot successfully register after the validity date on the CMTS. So a reboot of modem a) is not possible. I will go into reject(pk)
c) A modem without privacy (BPI) still can register.

Log in or register to post comments