https://community.cisco.com/t5/network-access-control/cisco-ise-2-4-alarm-about-expiration-certificate-saml/m-p/4145070#M562639 <P>Good notes here - thanks for posting.&nbsp; Potential issue avoided!</P><P>&nbsp;</P> Wed, 02 Sep 2020 11:59:46 GMT r1127hyduk 2020-09-02T11:59:46Z https://community.cisco.com/t5/network-access-control/cisco-ise-2-4-alarm-about-expiration-certificate-saml/m-p/4016992#M541022 <P>Hey Dear ;</P><P>&nbsp;</P><P>Trust certificate 'Default self-signed server certificate' will expire soon</P><P>we would like to know what&nbsp; does mean usage for SAML,&nbsp; and to know if this certificate is really used in my case and how to renew it.</P><P>&nbsp;</P><P>Alarm Name :</P><P>Certificate Expiration</P><P>&nbsp;</P><P>Details :</P><P>&nbsp;Trust certificate 'Default self-signed server certificate' will expire in 60 days : Server=SRP-01-CISE010</P><P>&nbsp;</P><P>Description :</P><P>This certificate will expire soon.&nbsp; When it expires, ISE may fail when attempting to establish secure communications with clients.&nbsp; Inter-node communication may also be affected</P><P>&nbsp;</P><P>Severity :</P><P>Warning</P><P>&nbsp;</P><P>Suggested Actions :</P><P>Replace the certificate.&nbsp; For a trust certificate, contact the issuing Certificate Authority (CA).&nbsp; For a CA-signed local certificate, generate a CSR and have the CA create a new certificate.&nbsp; For a self-signed local certificate, use ISE to extend the expiration date. You can just delete the certificate if it is no longer used</P><P>&nbsp;</P><P>Thanks for help</P><P>&nbsp;</P> Thu, 23 Jan 2020 12:17:42 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-2-4-alarm-about-expiration-certificate-saml/m-p/4016992#M541022 Nadia Bbz 2020-01-23T12:17:42Z https://community.cisco.com/t5/network-access-control/cisco-ise-2-4-alarm-about-expiration-certificate-saml/m-p/4017391#M541058 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/974132">@Nadia Bbz</a>&nbsp;</P> <P>&nbsp;</P> <P>I implement my own best practice for these situations: any cert that is not required on my customers' nodes is given a 10 year self-signed cert, to ensure that they don't get any expiration notices for certs they don't need. 10 years is the max - but by then I would assume the system would have been rebuilt anyway.</P> <P>&nbsp;</P> <P>Under System Certs, generate a new self-signed cert to replace the current cert. Let's say you want to replace the SAML cert.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="self-signed.PNG" style="width: 884px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/65791i55845F9E6F728AA0/image-size/large?v=v2&amp;px=999" role="button" title="self-signed.PNG" alt="self-signed.PNG" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 23 Jan 2020 21:28:35 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-2-4-alarm-about-expiration-certificate-saml/m-p/4017391#M541058 Arne Bier 2020-01-23T21:28:35Z https://community.cisco.com/t5/network-access-control/cisco-ise-2-4-alarm-about-expiration-certificate-saml/m-p/4018402#M541073 <P>Hey <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/158532">@Arne Bier</a>&nbsp; ,</P><P>Thanks so much for helping me , <SPAN>I greatly appreciate it.</SPAN></P><P><SPAN>it's possible to renew certificate just to check the box renewal period and put 10 years or 5 years like the picture below<BR /></SPAN></P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="self signed.JPG" style="width: 849px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/65911iA68C0728A9BE7C55/image-size/large?v=v2&amp;px=999" role="button" title="self signed.JPG" alt="self signed.JPG" /></span></SPAN></P><P><SPAN>i have another certificate that will expired soon, should i apply the same method to solve it&nbsp;<BR /></SPAN></P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="self signed certificate.JPG" style="width: 749px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/65912iE8A22509645017A9/image-size/large?v=v2&amp;px=999" role="button" title="self signed certificate.JPG" alt="self signed certificate.JPG" /></span></SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>thanks for help </SPAN></P><P>&nbsp;</P> Sun, 26 Jan 2020 09:16:16 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-2-4-alarm-about-expiration-certificate-saml/m-p/4018402#M541073 Nadia Bbz 2020-01-26T09:16:16Z https://community.cisco.com/t5/network-access-control/cisco-ise-2-4-alarm-about-expiration-certificate-saml/m-p/4019090#M541095 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/974132">@Nadia Bbz</a>&nbsp;</P> <P>&nbsp;</P> <P>I learned something new! Thank you. I have never used that renew self cert button button. It does exactly what it says. For self-signed certs it seems you can either create a new one and delete the old one, or simply use the renew feature.</P> <P>Here's the difference between creating a new cert, and renewing a cert:</P> <OL> <LI>Create New Cert: creates a new Cert Serial Number - calculate new cert Fingerprint (hash)</LI> <LI>Renew Cert: Maintain same Serial Number and update the Validity period - calculate new cert Fingerprint (hash)</LI> </OL> <P>&nbsp;</P> <P>regards</P> <P>Arne</P> Mon, 27 Jan 2020 21:45:13 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-2-4-alarm-about-expiration-certificate-saml/m-p/4019090#M541095 Arne Bier 2020-01-27T21:45:13Z https://community.cisco.com/t5/network-access-control/cisco-ise-2-4-alarm-about-expiration-certificate-saml/m-p/4145070#M562639 <P>Good notes here - thanks for posting.&nbsp; Potential issue avoided!</P><P>&nbsp;</P> Wed, 02 Sep 2020 11:59:46 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-2-4-alarm-about-expiration-certificate-saml/m-p/4145070#M562639 r1127hyduk 2020-09-02T11:59:46Z