The Business of Broadband

The Pending Expiration of Manufacturer CA Certificates

Written by Rick Yuzzi | Apr 21, 2021 10:00:00 AM

Where were you when Y2K happened? If you are a cable operator, you may be impacted by your own version of this type of event.  As of May 1st, some of the Manufacturer CA certificates in cable modems were set to start expiring, and if a modem's firmware has not been updated to extend the CA validity date, the modem will cease to function.  The CA certificates are part of the security validation between the CMTS and CPE on DOCSIS networks. May 1st has passed, but that doesn't mean you are out of the woods if you have not looked into the issue. Not all CA certs were set to expire on May 1st. It could be days, months or a year from now before they expire. But, if you have devices in your network with old  certs and you do not take action, they will go offline at some point will stop working.

So, if you were not aware of this, what do you need to do? You are a little bit behind, but you still have time to address the issue.  You should start by compiling an inventory of the CMTS and cable modem models on your network and their firmware levels. This way you can determine which devices are at risk and whether there is a firmware update available that can resolve the issue. You will then update the modems at least to the firmware level that extends the certificate validity date, assuming one is available. 

You may run into some challenges when you get the results of your inventory. If you have older modems in your network they may be long discontinued or no longer supported, in which case the needed firmware update may not be available. In that case there is a workaround with the CMTS that can be implemented so you can continue using the older modems modems. A configuration can be added in the CMTS that will tell it to ignore the validity date, however the CMTS will need to have a firmware release that supports that configuration change.  This may be a challenge if you also have a CMTS that is no longer supported. 

If you have both unsupported modems that cannot be updated, AND your CMTS does not support the configuration change to ignore the date, there are a few other options. You can turn off Baseline Privacy (BPI) in the CMTS, but this is not a recommended solution according to CableLabs.  Another option is to replace the unsupported modems in your network with ones that can be updated with a certificate that has a new expiration date (or with DOCSIS 3.1 or later devices that require no validity date at all).  Finally, depending on the number of modems you would need to replace, an alternate option would be to replace the CMTS with one that can be configured to ignore the expired certificate date on your older, unsupported modems. 

Want to know more?  Watch this Tech Tuesday broadcast where we provide an overview of the issue and discuss the different options available. 

 

In addition, you can download this FAQ from CableLabs

We have also put together this list of CMTS and modem models. This is by no means an exhaustive list. These are just the devices that we know our customers are using, so we did some research and listed the information we were able to get regarding whether firmware was available to address the issue.