IOS APs use this certificate to validate the image downloaded from the WLC, before installing the software on the AP. The image signing certificates bundled in the AP IOS images were issued on December 4, 2012, and expired on December 4, 2022.
When IOS APs are upgraded or downgraded via CAPWAP, after December 4, 2022, they may get stuck in an image download loop, and thereby fail to join the WLC, due to a failure to validate the signing certificate in the downloaded image. APs that run AP-COS (802.11ac Wave 2, Wi-Fi 6, Wi-Fi 6E APs) are not affected, nor are IOS APs in autonomous mode. AireOS, Catalyst 9800 series and Converged Access controllers are affected. The affected lightweight IOS images were built from December 2012 through November 2022. This issue is tracked by Cisco bug CSCwd80290 and the Field Notice FN72524 and is caused by an AP image signing certificate validation failure. This document provides details on IOS access point (AP) join failures, seen with both AireOS and C9800 Wireless LAN Controllers (WLCs), after December 4, 2022.