https://community.cisco.com/t5/network-access-control/how-to-renew-eap-certificate/m-p/4010538#M454564 While not a renewal per say, the easiest way is to generate a new CSR on the admin node of the deployment selecting either multi use or eap for its usage. <BR /><BR />You accomplish this two ways depending on what you need.<BR />1. If you only need a self signed eap cert, then you can generate a new one by clocking the "generate self signed certificate" button in the "system certificates" page.<BR /><BR />2. If you require a CA signed eap cert (probably more common), then you can do that by navigating to this page, and clicking the "generate certificate signing request" button and entering the information.<BR />https://&lt;your admin node ip or name&gt;/admin/#administration/administration_system/administration_system_certificates/certificates_cert_mgmt/certificates_cert_mgmt_cert_signing_requests<BR /><BR />Here is a visual guide<BR /><A href="https://networkproguide.com/cisco-ise-24-certificate-install/" target="_blank">https://networkproguide.com/cisco-ise-24-certificate-install/</A><BR /><BR />Here is the Cisco admin guide steps<BR /><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0111.html#ID961" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0111.html#ID961</A><BR /><BR /><BR />Now keep in mind a very important thing. If you are creating a new CSR, be very careful before using a new CN. Endpoints may be set up to only trust the CN found within the certificate, and auth can fail if you change it. It varies by environment, but you can use a non existent CN (ex. old node name), and the cert will be properly built so long as it also appears in the SAN field. Mon, 13 Jan 2020 15:11:18 GMT Damien Miller 2020-01-13T15:11:18Z https://community.cisco.com/t5/network-access-control/how-to-renew-eap-certificate/m-p/4010454#M454563 <P>Hi,</P><P>&nbsp;</P><P>Not sure if this has been covered or not, but whats the best way to renew a certificate on ISE, it is used for EAP.</P><P>&nbsp;</P><P>Cheers,</P><P>Bobby</P> Mon, 13 Jan 2020 13:09:33 GMT https://community.cisco.com/t5/network-access-control/how-to-renew-eap-certificate/m-p/4010454#M454563 Bobby123 2020-01-13T13:09:33Z https://community.cisco.com/t5/network-access-control/how-to-renew-eap-certificate/m-p/4010538#M454564 While not a renewal per say, the easiest way is to generate a new CSR on the admin node of the deployment selecting either multi use or eap for its usage. <BR /><BR />You accomplish this two ways depending on what you need.<BR />1. If you only need a self signed eap cert, then you can generate a new one by clocking the "generate self signed certificate" button in the "system certificates" page.<BR /><BR />2. If you require a CA signed eap cert (probably more common), then you can do that by navigating to this page, and clicking the "generate certificate signing request" button and entering the information.<BR />https://&lt;your admin node ip or name&gt;/admin/#administration/administration_system/administration_system_certificates/certificates_cert_mgmt/certificates_cert_mgmt_cert_signing_requests<BR /><BR />Here is a visual guide<BR /><A href="https://networkproguide.com/cisco-ise-24-certificate-install/" target="_blank">https://networkproguide.com/cisco-ise-24-certificate-install/</A><BR /><BR />Here is the Cisco admin guide steps<BR /><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0111.html#ID961" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0111.html#ID961</A><BR /><BR /><BR />Now keep in mind a very important thing. If you are creating a new CSR, be very careful before using a new CN. Endpoints may be set up to only trust the CN found within the certificate, and auth can fail if you change it. It varies by environment, but you can use a non existent CN (ex. old node name), and the cert will be properly built so long as it also appears in the SAN field. Mon, 13 Jan 2020 15:11:18 GMT https://community.cisco.com/t5/network-access-control/how-to-renew-eap-certificate/m-p/4010538#M454564 Damien Miller 2020-01-13T15:11:18Z https://community.cisco.com/t5/network-access-control/how-to-renew-eap-certificate/m-p/4011104#M454565 <P>Hi Damien,</P><P>&nbsp;</P><P>Thank you for that explanation and links, most helpful!&nbsp;</P><P>&nbsp;</P><P>As for the post certificate renewal testing, we are trying to work out the best way to test one of the certificate renewals (say on the secondary ISE box), and create a test SSID which points only to that secondary ISE server for testing before we update the primary server, is this something which is workable?</P><P>&nbsp;</P><P>Also with this EAP authentication certificate, we are trying to work out what the best way is to see how it is working at present, we do not have more in terms of working knowledge of this (i.e. is it just used for our Corporate Wifi or is it used for other services).</P><P>&nbsp;</P><P>Hope this makes sense!</P><P>&nbsp;</P><P>Cheers,</P><P>Bobby</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 14 Jan 2020 10:49:29 GMT https://community.cisco.com/t5/network-access-control/how-to-renew-eap-certificate/m-p/4011104#M454565 Bobby123 2020-01-14T10:49:29Z https://community.cisco.com/t5/network-access-control/how-to-renew-eap-certificate/m-p/4013030#M454566 <P>Yes, WLC, for example, is able to have different sets of RADIUS servers for different WLANs (SSIDs).</P> <P>As long as you are able to keep unique subjects for the certificates (e.g. different O our OU values), you may have more than one certificate associated with one ISE node, just need to move the usage around. Other than that, test, test, and test!</P> Thu, 16 Jan 2020 21:39:42 GMT https://community.cisco.com/t5/network-access-control/how-to-renew-eap-certificate/m-p/4013030#M454566 hslai 2020-01-16T21:39:42Z