Digital Certificate Upgrade Considerations

Public Key Length

To support SNMP walk for rcDigitalCertTable where the public key length exceeds 2,048 characters, VOSS 8.1 and later configures MAX_KEY_LEN to 2,048 to extend PublicKey to hold a maximum of 4,096-bit key. After this key length is updated, the format for/intflash/.cert/cert_info.cfg changes based on the new public key maximum length and you will be unable to restore the CertInfoTable from this file.

On VSP 7400 Series, if you upgrade to VOSS 8.1 or later from an earlier release, you must reconfigure the certificates because you cannot restore the old certificate configuration after reboot.

The switch displays the following log message after you upgrade to VOSS 8.1, or later, and reboot: GlobalRouter DIGITALCERT ERROR Unable to restore info from /intflash/.cert/cert_info.cfg due to different/wrong format

CA Field in Root and Intermediate Certifcates

The system checks basic constraints prior to checking the certificates. Ensure the CA field is True for every root and intermediate certificate in the certificate chain, including older certificates. If the CA field is False for the root certificate in the certificate chain, RESTCONF TLS server state is down.