topic Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates. in Network Access Control

[ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

Jihye Han — Wed, 06 Nov 2019 09:26:45 GMT

Hi Expert,

I'd like to know how to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

My customer is using the ISE V2.3.7 and they said the above certificate will be expired on Feb 08, 2020 so they want to renew it before it expires.

Does anyone know what this certificate is for? From my checking, I couldn't find any related guide for that.

Thank in advance.

Jihye.

#Trusted Certificates

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

Arne Bier — Thu, 07 Nov 2019 07:52:44 GMT

Hi @Jihye Han

Certificates in the ISE Trusted Certificates are public certificates. Users do not (and cannot) renew these certificates. If users don't know why a certain certificate is in the Trusted Certificates store in ISE, then you should ignore them. Once they have expired, delete them. Cisco put those certs there but the list is far from complete. Cisco only chose to put a few Root CA certs into ISE but you can install all manner of CA certs (public or private CA's).

Certs in the Trusted Cert store are there to allow ISE to perform checks on the validity of certs that it encounters, potentially signed by those CA's in the Trusted Store. But regardless of that, once those trusted certs have expired, they are useless - delete them.

regards

Arne

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

Jihye Han — Thu, 07 Nov 2019 04:37:43 GMT

Hi Arne,

Thank you for the great explanations.

I fully understood.

Best Regards,

Jihye.

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

Jason Kunst — Thu, 07 Nov 2019 15:20:20 GMT

@Arne Bier wrote:

Hi @Jihye Han

Certificates in the ISE Trusted Certificates are public certificates. Users do not (and cannot) renew these certificates. If users don't know why a certain certificate is in the Trusted Certificates store in ISE, then you should ignore them. Once they have expired, delete them. Cisco put those certs there but the list is far from complete. Cisco only chose to put a few Root CA certs into ISE but you can install all manner of CA certs (public or private CA's).

Certs in the Trusted Cert store are there to allow ISE to perform checks on the validity of certs that it encounters, potentially signed by those CA's in the Trusted Store. But regardless of that, once those trusted certs have expired, they are useless - delete them.

regards

Arne

TRUE! also Cisco will update any roots that are critical to its needs on ISE in a patch when coming close to renewal time. Another reason to keep things fresh 🙂

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

hslai — Thu, 07 Nov 2019 15:23:51 GMT

I do not think this still in-use so should be safe to delete. It was imported earlier for one of our feed services because either cisco.com or ise.cisco.com or perfigo.com used to use certificates issued by that CA.

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

ciscogo — Tue, 12 Nov 2019 10:22:58 GMT

Hello,

I currently have the same problem with a client, his "VeriSign Class 3 Secure Server CA - G3" certificate expires in February 2020. How do I know if he uses it? He would like to renew it, is it possible and how do we do it? According to your answer it is not possible to renew this certificate.

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

Arne Bier — Tue, 12 Nov 2019 21:53:20 GMT

I suspect this is going to be a commonly asked question, because I also found this cert expiration warning on my ISE 2.4 system.

This cert was shipped with ISE, but since Cisco doesn't tell us why, it's anyone's guess. I may have seen mention things along the lines of, "ISE needed this cert back in the day to connect to Cisco Call Home, Smart Licensing, or Cisco Profiler Feed Service, or the BYOD Client Provisioning download feature etc." - all these features built into ISE that rely on a TLS connection to trust the end system. But this is a legacy cert and it doesn't appear to be needed for anything that ISE is doing internally.

As a proof point, I just deleted it and then tested all the "ISE Internet Services" that I could find - and they all still work.

Here's my advice. Before deleting this cert, export it through ISE GUI and then save the file somewhere in case you need it in the next 90 days before it expires. Once the cert has expired, it's no good to anyone. So then you may as well delete it. But if you want to prove to customer that deleting the cert won't break anything, then save a copy before deleting it. If something breaks then they can re-install it and then you'll know what it's for. It's highly unlikely that your customer needs this cert.

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

Surendra — Wed, 13 Nov 2019 00:23:26 GMT

Also, there was one defect filed recently to have the details of these certificates documented. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr90534/?rfs=iqvred

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

Jason Kunst — Fri, 20 Dec 2019 12:08:21 GMT

Here is a list of information we will be putting into the official ISE admin guide . we are also hoping to have a more comprehensive listing after the thanksgiving holiday here in the U.S. I will update then

CSCvr90534 Doc: A Document for description of default imported Trusted Certificates is necessary

Everything should be good here now! Take a look!

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0111.html#concept_wzh_vgl_bkb

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_0111.html#concept_wzh_vgl_bkb

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_admin_guide_27/b_ise_admin_guide_27_chapter_0111.html#concept_wzh_vgl_bkb

Do let me know if any further changes are required!

Problem statement

"VeriSign Class 3 Secure Server CA – G3" intermediate CA certificate that comes part of ISE by default in ISE for Cisco Services is expiring on Feb 2020.

The issuer of this certificate is "VeriSign Class 3 Public Primary Certification Authority - G5" and this Root CA is valid up to Wed, 16 Jul 2036. This Root CA certificate is trusted by default in ISE for Cisco Services.

Trusted for Cisco Services

"VeriSign Class 3 Secure Server CA – G3" is trusted for Cisco Services by default in ISE.

Cisco Services can be categorized to following items:

Posture, Profiler and Client Provisioning (Group 1). These are using a different certificate chain and not "VeriSign Class 3 Secure Server CA – G3".

Other trust configurations

It is possible that following services can be internally using this trust certificate for third party verification.
MDM, SMS, TC-NAC, pxGrid, and CRL/OCSP (Group 2)
It is possible that customer may have referred this certificate in system certificates, Secure syslog and Secure ldap (Group 3)

Guidelines to safely remove this certificate from ISE

Schedule a MW and follow the below guidelines to safely remove this certificate from ISE.

As a first step, go ahead and export this certificate and keep it safe for future purpose. It can be imported back if any of the services in ISE breaks after deleting this certificate.
Disable the certificate and check whether Group 1, 2 and 3 continue to work. Not all the customers use all the services. Test only the relevant services.
Delete the certificate. The delete will not be allowed if certificate is referenced by Group 3. Make configuration changes to remove the references and then delete.
Test Group1, 2 and 3 to make sure all the services continue to work.

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

jsteffensen — Wed, 18 Dec 2019 09:22:30 GMT

Are there any validated, detaild information about the "VeriSign Class 3 Secure Server CA – G3" Certificate?

As @Jason Kunst mentioned, It is "possible" that following services can be internally using this trust certificate.

How should customers and partners intepret this statement "possible"?

- Does not Cisco know if what exactly the different Trusted Certificates within ISE is used for- related to PxGrid, TC-NAC and so on?

- or Is this something customers them selves can configure to use explicit for TC-NAC? - "How would this typically be done"

Somehow i intepret the answer as: "we have no clue what we are doing - but disable it and see what happends..."

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

Jason Kunst — Wed, 18 Dec 2019 18:10:46 GMT

as stated above we are going to provide a concise guide on this and put it in the admin guide, there is a defect to track

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

Arne Bier — Fri, 20 Dec 2019 11:29:23 GMT

I would have expected a Cisco Field Notice for this since it affects every version of ISE I have come across - at least 2.2 and onwards. (it’s even shipping in ISE 2.7)

Surely a patch would be released to remove this cert?

FYI: Another major Wireless vendor sent out a field notice today about this same issue.

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

Jason Kunst — Sat, 21 Dec 2019 14:55:45 GMT

@Arne Bier wrote:

I would have expected a Cisco Field Notice for this since it affects every version of ISE I have come across - at least 2.2 and onwards. (it’s even shipping in ISE 2.7)

Surely a patch would be released to remove this cert?

FYI: Another major Wireless vendor sent out a field notice today about this same issue.

will see what we can do, for now the guidance is in the guides

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

rsijori@ — Fri, 17 Jan 2020 16:46:19 GMT

Thanks Arne for your response on this! Wish there was a field notice from Cisco regarding this as it impacts all the ISE customers!

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

Kn1ghtR1d3rOfD00m — Mon, 27 Jan 2020 14:54:15 GMT

Hi, sorry for bugging, I have the same symptom , its gonna expire on Fri, 7, 2020,

What does it mean: it impacts all the ISE customers? will it affect the services?

sorry Im not following up

Im running a very old version though, 2.0.236

@ all

has anyone deleted and has encountered any issues?

can I delete it before expiration or should i just wait until it expires?

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

Arne Bier — Mon, 27 Jan 2020 22:02:23 GMT

@Kn1ghtR1d3rOfD00m - the question you need to answer is whether any of your ISE 2.0 nodes use Internet based services. If the answer is a categorical NO, then you're ok - delete the cert.

The problem is that Cisco cannot tell us what this cert is used for in ISE (not to my knowledge - correct me if I am wrong)

Examples of ISE 2.4/2.6 Internet based services are:

Profiler Feed Update (ise.cisco.com)
Posture Updates (https://www.cisco.com/web/secure/spa/posture-update.xml)
Cisco Call Home (and indirectly Smart Licensing) (tools.cisco.com)
Client Provisioning Updates (https://www.cisco.com/web/secure/spa/provisioning-update.xml)

There have been some URL changes since ISE 2.0

Only way to be sure is to open a TAC case - or reverse engineer the box with tcpdump and analyse the TLS negotiation to see what certs are presented by the foreign servers. Very time consuming ...

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

derobbacher — Mon, 10 Feb 2020 15:19:42 GMT

Hello,

I opened a TAC case and was advised to download and install two new certificates instead.

These ones are called HydrantID and QuoVadis Root CA 2.

They serve to connect to Cisco.com via SSL in order to obtain binary and data updates for Posture and BYOD.

I estimate that the obsolete Verisign cert was used for this in the past.

You can download them from:

https://software.cisco.com/download/home/283801620/type/283802505/release/cisco.com-certs

And here is the Field Notice describing the purpose of these certificates and how they should be installed.

https://www.cisco.com/c/en/us/support/docs/field-notices/701/fn70122.html

Greetings

Wini

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

decubed — Thu, 13 Feb 2020 15:58:03 GMT

I started getting log messages "Smart Licensing Authorization Renewal Failure" on the same day the cert expired. I don't believe in coincidences.

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

Arne Bier — Thu, 13 Feb 2020 21:47:56 GMT

@decubed

My Smart Licensing is still working despite me having deleted the expired Verisign cert. That story about the QuoVadis/Hydrant CA cert is quite old and it was all over the news back then. Perhaps people didn't act on the field notice then, but most systems that have this installed will be ok. Have a look if that fixes your issue.

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

innovative_elephant — Wed, 29 Apr 2020 20:30:58 GMT

With ISE 2.4, we got an error message when trying to delete this cert (VeriSign Class 2 Secure Server CA - G3).

Temporarily disabling all logging (Admin - System - Remote Logging Targets) allowed us to delete the cert even though none of our logging setup appeared to reference that cert.

Our issue and error message appears very similar to: https://quickview.cloudapps.cisco.com/quickview/bug/CSCvk76680