Our firmware update process is failing with a security policy violation when we try to deploy a critical patch. The error indicates the firmware image isn’t properly signed, even though we’re using Cisco’s signing tools.
Error from the deployment logs:
Firmware validation failed: Signature verification error
Policy: REQUIRE_SIGNED_FIRMWARE enforced
Image: router-fw-3.2.1.bin rejected
We have firmware signature enforcement enabled across all device groups, and the device policy configuration requires valid signatures. The issue is our trusted certificate management - we recently rotated our signing certificates but I’m not sure if the new cert chain is properly configured in IoT Cloud Connect. The old certificates expired last month, so we can’t use them anymore.
How do we properly configure the new signing certificates so our firmware images pass validation? This is blocking a critical security patch deployment.
Certificate rotation is tricky. You need to update the trusted certificate store on both the IoT Cloud Connect platform AND on the devices themselves. The devices need the new root CA cert to validate firmware signatures. Did you push the new CA cert to all devices before rotating?
First verify that your firmware image is actually signed with the new certificate. Run the signature verification locally before uploading. The Cisco signing tools have a verify command that will show you which certificate was used and whether the signature is valid.
Also check your device policy configuration. Some policies have a grace period for certificate rotation where both old and new certs are trusted for a transition period. If you don’t have that configured, devices will reject anything signed with the new cert immediately. The policy should allow a 30-60 day overlap.
You need to push the CA cert update separately BEFORE rotating your signing cert. Otherwise you create this exact chicken-and-egg problem where devices can’t validate the new signatures. We learned this the hard way. The CA cert update should be done via configuration management, not firmware update, since it needs to happen with the old cert chain still valid.