topic Re: Replacing Self-signed Cert in Network Access Control

Replacing Self-signed Cert

kevink707 — Thu, 25 Jan 2018 00:15:03 GMT

I'm bringing up a cluster of ISEs (running ISE 2.3). I believe it would be best practice to replace the built in self-signed certs, however when I try and generate a CSR request I get "You are attempting to generate a CSR whose subject matches the subject of an existing certificate on the same node. This is only permitted when you are replacing a certificate of the same role. Note that the subject is the concatenation of several fields (for example, CN, O, OU, etc.) You can create a unique subject by varying the values in these fields."

First -- Is it appropriate to replace the built in cert?

Second -- Can I delete the existing self-signed cert to avoid this error?

Or -- any other suggestions?

Re: Replacing Self-signed Cert

paul — Thu, 25 Jan 2018 02:25:03 GMT

Fill out the CSR request fields and you won't have this error. Put in the O, OU, City, State and Country values.

Yes you should replace the self-signed cert. Usually, you will end up having several certs in an ISE install.

The EAP-TLS/RADIUS DTLS/Admin cert might come from the customer's internal PKI environment.

The default portal cert may be a public cert.

The pxGrid cert is the one issued from ISE's internal CA.

The SAML cert which you can't get rid of (why you ask... who know), just make a self-signed 10-20 year cert so ISE won't complain about it expiring in 2 years.

Re: Replacing Self-signed Cert

Arne Bier — Thu, 25 Jan 2018 02:27:44 GMT

self signed certs are baaaad, m'kay 😉 Don't use self signed certs.

I would recommend installing a cert in every ISE node (every persona) for the ADMIN role specifically, issued by the customer's own PKI infrastructure. You can either create a CSR and hand that file to your (or the customer's PKI team) and they will return the cert you can then bind to each node. The benefit there is that if the corporate browsers have the PKI CA root cert installed then you won't get browser warnings when administering ISE via GUI.

For the PSN nodes, install a cert for EAP (if doing EAP) so that your supplicants will trust ISE. It may be that the Admin role and the EAP role cert can be the same, if issued by the same issuing CA.

For Sponsor/Guest/Device portals create CSR and submit to public CA.

Long story short - once a role has a new PKI/public cert, then you can go ahead and delete the self-signed cert (because it's no longer assigned to a role)

Re: Replacing Self-signed Cert

hslai — Fri, 26 Jan 2018 01:37:32 GMT

Please follow what Paul and Arne suggested.

Note that you will not be able to delete the built-in self-signed certificate until another certificate or other certificates present and take over the certificate usages (e.g. admin and eap).