Field Notice: FN – 72557 – Cisco Secure Email Gateway: Update Needed to Certificate Authority Trust Store to Avoid Failure of Cisco Aggregator Service – Software Upgrade Recommended

Problem Description
The internal Certificate Authority (CA) trust store used by the Cisco Aggregator (Click Tracking) service does not include the root CA IdenTrust Commercial Root CA 1. Due to this, any Secure Email Gateway (ESA) that runs an impacted version of AsyncOS will lose Click Tracking functionality once the existing https://aggregator.cisco.com/ certificate has expired and is renewed using the IdenTrust Commercial Root CA 1 root CA.

Background
For enhanced security, the certificate supplied to https://aggregator.cisco.com/ will be renewed using a CA of HydrantID Server CA O1, which is then further issued by the root CA IdenTrust Commercial Root CA 1. The current DigiCert certificate will expire in February 2024, and customers who utilize Click Tracking will be required to upgrade to a fixed AsyncOS release before this time in order to avoid disruption to their service.

This advisory can be found at the following link:
https://www.cisco.com/c/en/us/support/docs/field-notices/725/fn72557.html