topic ISE Certificates in Network Access Control

ISE Certificates

ciscoworlds — Thu, 18 Apr 2019 08:00:00 GMT

Hi.

There are 4 certificates under "Certificate Authority Certificates" menu which are Root, OCSP, Node and Endpoint. The validity period of these certificates is as long as 10 years (it shows 2029 as the expiration date).

Also by default there are a system certificate under "System Certificates" which is used for Admin, EAP Authentication, DTLS and Portals. The validity period of this certificate is as long as 1 year (it shows 2020 as the expiration date)

With these in mind, I think the system certificate used by ISE in EAP Authentication will expire in a year. Customer asked us to increase its validity period to 10 years, so they won't have to deal with expired certificate on 802.1x process after a year.

I know that using CSR menu on ISE GUI I can create a signing request and sign it with external CA. But how it is done as I want to use ISE internal CA instead to sign this new request and extend its validity period to 10 years? And at the first place why does the default self-signed system certificate on ISE has been set to be valid just for a single year despite that the Root CA certificate on the ISE valid for 10 years?

Re: ISE Certificates

paul — Thu, 18 Apr 2019 12:28:21 GMT

That is a normal CA setup. The root and Sub CAs usually have long lived certificates as they are used to issue and validate a chain of trust. The actual certificates issued to end devices/clients have a much lower expiry time, typically in the 1-2 year range. I don't believe any of the public CA providers do more than 2 years at this point.

Your customer wants to use the internal ISE CA issued cert for EAP authentication and portals? Have you explained to them that no one trusts the ISE internal CA and will get certificate warnings unless you turn off server validation (not a good idea) or distribute the ISE root CA cert to the clients' trusted root CA store? The only thing I use the ISE internal CA cert for is pxGrid.

At this point if you client really doesn't care about certificates, you could just generate a self-signed certificate with a 15 year expiry and use that for everything. If you want to use the ISE internal CA you can make a new template under the Certificate Template screen that has an expiry of up to 10 years and issue certs from that template. Again none of this would I ever recommend to a customer.

Re: ISE Certificates

ciscoworlds — Thu, 18 Apr 2019 14:10:36 GMT

just supposing that we have decided to increase the validity period of the system certificate on ISE which has one-year validity by default, what will be done on expiration date of that certificate? Does ISE renew its self-signed server certificate which is used for EAP Authentication before expiration date or we need to regenerate a new system certificate before expiration date manually?

my regards;

Re: ISE Certificates

paul — Thu, 18 Apr 2019 17:38:44 GMT

You will need to manually refresh the ISE certificate.

Re: ISE Certificates

kthiruve — Tue, 23 Apr 2019 04:01:21 GMT

No appliance will automatically renew certificates. That is counter intuitive to security.

-Krishnan

Re: ISE Certificates

ciscoworlds — Mon, 06 May 2019 10:16:33 GMT

@kthiruve Do you mean that we won't need to manually renew the ISE self-signed system certificates used for EAP-authentication, portal, RADIUS, etc at all?

Re: ISE Certificates

kthiruve — Thu, 30 May 2019 20:58:15 GMT

Let me clarify, you need to manually renew certificate. ISE does not automatically renew it for you.

-Krishnan