topic Trusted Certificates | Default self-signed server certificate in Network Access Control

Trusted Certificates | Default self-signed server certificate

Xividar — Wed, 07 Apr 2021 17:00:32 GMT

Hi Guys,

How do we renew our ISE Trusted Default Self-Signed Cert?

Thank you.

Re: Trusted Certificates | Default self-signed server certificate

Mike.Cifelli — Wed, 07 Apr 2021 17:17:15 GMT

To re-gen self signed certs go to: Administration->System->Certificates->Certificate Management->System Certificates->'Generate Self Signed Certificate'

HTH!

Re: Trusted Certificates | Default self-signed server certificate

Xividar — Wed, 07 Apr 2021 17:33:43 GMT

Hi Mike,

Are you saying that once the default self-signed ISE Root Cert expires, we need to move services off of it? Is there no way to renew it?

Re: Trusted Certificates | Default self-signed server certificate

Greg Gibbs — Wed, 07 Apr 2021 23:24:22 GMT

The 'Default self-signed server certificate' in the Trusted Certificates store is simply a copy of the same cert in the System Certificates store. Depending on the version of ISE you are using, you should be able to edit the cert in the System Certificates store and use the Renew Self Signed Certificate option at the bottom to extend the expiration date. The changes should also be reflected in the Trusted Certificates store.

Re: Trusted Certificates | Default self-signed server certificate

thomas — Thu, 13 May 2021 20:38:19 GMT

You should NEVER renew a self-signed certificate.

Use a public-CA signed certificate or enterprise CA.

Re: Trusted Certificates | Default self-signed server certificate

engineer467 — Sun, 03 Apr 2022 05:23:58 GMT

Dear Greg,

Other than extending the renewal period, what else needs to be done if we are using the self signed cert for PEAP (EAP with MSCHAPv2) authentication?

Please help.

Thank you.

Re: Trusted Certificates | Default self-signed server certificate

Greg Gibbs — Sun, 03 Apr 2022 22:27:38 GMT

The self-signed certificates should only be bound to services that are not actually in use in your environment (pxGrid, RADIUS DTLS, SAML, etc). I would only use the renew self signed certificate option for those certificates. The other option would be to generate new self-signed certs for these unused services upon expiry of the old ones.

Self-signed certificates should never be used for services like EAP. This is NOT recommended and would require re-enrollment of all EAP clients upon any change to the self-signed certificates.

Ideally, an Enterprise CA should sign the ISE and client EAP certificates. Failing that (or for clients that are not managed by your organisation), Public CA signed certificates should be used.

Re: Trusted Certificates | Default self-signed server certificate

ryreyes — Wed, 20 Apr 2022 05:59:18 GMT

Hi Greg,

Just a question regarding this renewal of the default self-signed certificate. I have 2 ISE in HA and I successfully do the renewal/extension of the default self signed certificate of the primary ISE, however when I do the renewal/extension on the secondary node after I save it and the services restarts the default self signed certificate of the secondary ISE was not renewed. Do I need to switchover the role first for the renewal of the secondary node certificate to take effect? I can't see any documentation regarding this so I appreciate any inputs. Thank you.

Re: Trusted Certificates | Default self-signed server certificate

Pietro Inderst — Tue, 04 Jun 2024 05:27:43 GMT

I have this problem to. But I can't renew it on ISE 3.2

What is the solution?

Re: Trusted Certificates | Default self-signed server certificate

iVicMMac — Thu, 16 Jan 2025 19:34:34 GMT

Hello @Greg Gibbs Can I use this option to renew our certificate on both boxes? Obviously one at a time due the restart of ISE application

Our environment below with ISE 2.7