topic Re: Alarm about expiration certificate (SAML) in Network Access Control

Alarm about expiration certificate (SAML)

SupportAC — Mon, 17 Dec 2018 13:52:12 GMT

Hi,

We are receiving this alarm about certificate expiring. We would like to know what it the use for this certificate and to know if this certificate is being used and how to renew it.

Alarm Name :

Certificate Expiration

Details :

Local certificate 'Default self-signed saml server certificate - CN=SAML_ISE01.COMPANY.COM' will expire in 53 days : Server=ISE01

Description :

This certificate will expire soon. When it expires, ISE may fail when attempting to establish secure communications with clients. Inter-node communication may also be affected

Severity :

Warning

Suggested Actions :

Replace the certificate. For a trust certificate, contact the issuing Certificate Authority (CA). For a CA-signed local certificate, generate a CSR and have the CA create a new certificate. For a self-signed local certificate, use ISE to extend the expiration date. You can just delete the certificate if it is no longer used

Re: Alarm about expiration certificate (SAML)

Surendra — Tue, 27 Nov 2018 20:35:25 GMT

That depends on whether or not you are using the certificate for any purpose on the ISE. ISE creates that certificate by default when you install it just in case you need it. If you have not ever used it before or do not intend to use that certificate for any purpose, please feel free to delete it. It will not harm any of your services. Besides, ISE will not allow to delete a certificate if it is being used somewhere.

Re: Alarm about expiration certificate (SAML)

SupportAC — Wed, 28 Nov 2018 13:14:10 GMT

how can we know if this certificate is being used? in what config this certificate would be used? thanks for your response

Re: Alarm about expiration certificate (SAML)

SupportAC — Mon, 03 Dec 2018 08:32:22 GMT

any idea?

Re: Alarm about expiration certificate (SAML)

Nadav — Mon, 03 Dec 2018 08:57:33 GMT

Hey,

From the PAN, go to Administration > System > Certificates.

Under System Certificates you can see which active usage each certificate has. If it's not in use, its usage will be "Not in Use" and then you can safely remove it.

By the way, you can manage the certificates of all nodes of the deployment from this menu.

Re: Alarm about expiration certificate (SAML)

SupportAC — Mon, 17 Dec 2018 12:27:52 GMT

Hi,

I can see the certificate but the certificate for ISE01 seems like "Not in use"

and in the certicifate for ISE1 is used by SAML.

How can confirm that SAML is being used? how can i renew the certificate or make sure is being used?

Re: Alarm about expiration certificate (SAML)

SupportAC — Mon, 17 Dec 2018 14:09:57 GMT

HI,

I went to the IdP provider config and i can confirm that SAML is not being used. So what the recommended option: to renew this certificate or keep it expired?

thanks

Re: Alarm about expiration certificate (SAML)

hslai — Mon, 17 Dec 2018 19:57:53 GMT

As the IdP not using it to validate the SAML requests, its expiration has no impact on authentication. Later on, you might need either renew or delete it while upgrading ISE to a later release.

Re: Alarm about expiration certificate (SAML)

toyip — Mon, 16 Mar 2020 17:21:00 GMT

I tried to delete the default self-signed SAML certificate since the customer is not using SAML. But I get a message (see attachment) when trying to delete it. I even generated a new certificate with SAML as the error message stated, but I'm back to the same problem. It just moves the problem, not resolve it. Is it even possible to remove it?

Re: Alarm about expiration certificate (SAML)

Greg Gibbs — Tue, 17 Mar 2020 05:43:38 GMT

An ISE cluster only supports one certificate bound to the SAML usage. If you create a new self-signed certificate with the SAML usage, it should move the SAML usage to that new certificate. Once that happens, you should be able to delete the old SAML certificate.

If the SAML usage is not moving to the new certificate or SAML is being bound to more than one cert, you will likely need to open a TAC case. They can use the root patch to find and remove certificate linkages directly from the database.

Re: Alarm about expiration certificate (SAML)

toyip — Wed, 18 Mar 2020 14:29:39 GMT

@Greg Gibbs wrote:
An ISE cluster only supports one certificate bound to the SAML usage. If you create a new self-signed certificate with the SAML usage, it should move the SAML usage to that new certificate. Once that happens, you should be able to delete the old SAML certificate.
If the SAML usage is not moving to the new certificate or SAML is being bound to more than one cert, you will likely need to open a TAC case. They can use the root patch to find and remove certificate linkages directly from the database.

Thanks Greg. I did create another self-signed cert with SAML, then I was able to delete the old cert. But now I can't delete the new cert with SAML, so I'm back to where I started. Anyway, may need to get TAC involved as you suggested.

Re: Alarm about expiration certificate (SAML)

Greg Gibbs — Thu, 19 Mar 2020 01:48:10 GMT

ISE requires a certificate installed for the SAML usage even if you are not using the SAML function (the same is true of the other usages like RADIUS DTLS, pxGrid, etc).

Since the SAML usage can only be assigned to a unique certificate (it cannot be assigned to a certificate with any other usages), you will not be able to delete the new certificate.

This is working as designed.