topic Re: ISE - CA Certificates about to expire in Network Access Control

ISE - CA Certificates about to expire

rg235 — Tue, 22 Feb 2022 13:41:41 GMT

Hi all, I've inherited a working installation of ISE and I'm still wrapping my head around it.
I ran into this screen (screenshot attached) which seems quite alarming as it says that CA Certificates will expire in less than 2 weeks. The related CAs are disabled; however self-signed System Certificates (SAML, Admin and EAP Authentication -- guest portal is a bought certificate) are expiring in some years. How do I check if they've been signed with the affected CAs?

Am I safe to suppose that users will still be able to connect in two weeks time? Can I renew these certificates? What are my options?

thank you

Re: ISE - CA Certificates about to expire

Mike.Cifelli — Tue, 22 Feb 2022 14:03:18 GMT

however self-signed System Certificates (SAML, Admin and EAP Authentication -- guest portal is a bought certificate) are expiring in some years. How do I check if they've been signed with the affected CAs?

-Navigate to Administration->System->Certificates->Certificate Management->System Certificates; here you can see what certs are in use and what their respective CA chains are.
Am I safe to suppose that users will still be able to connect in two weeks time?

-More than likely yes, but double check the system certs in use and make sure the EAP Authentication system cert is not expiring.

Can I renew these certificates? What are my options?

-This will help: How To Implement Digital Certificates in ISE - Cisco Community

HTH!

Re: ISE - CA Certificates about to expire

thomas — Tue, 22 Feb 2022 22:24:22 GMT

You may want to register for the upcoming ISE Digital Certificate Administration webinar :

https://cs.co/ise-webinars

Re: ISE - CA Certificates about to expire

Arne Bier — Wed, 23 Feb 2022 05:59:34 GMT

I think that should be a well-attended seminar.

@thomas

What are the chances that the ISE Web Portal Certs could be enabled to use Letsencrypt ? It would be very handy feature at least for Guest Portals or perhaps even the ISE Admin cert.

Re: ISE - CA Certificates about to expire

tjezer — Wed, 23 Feb 2022 15:49:28 GMT

Hi @Arne Bier ,

I think it's possible with the manual procedure: https://eff-certbot.readthedocs.io/en/stable/using.html#manual

In general, I'm not sure if it's a good idea implementing third-part plugins in the Hardening OS's like ISE. But it's only my personal point of view...

Re: ISE - CA Certificates about to expire

RezSalahuddin68319 — Wed, 23 Feb 2022 20:08:27 GMT

Great documentation. Thank you so much for sharing!!

-R

Re: ISE - CA Certificates about to expire

thomas — Thu, 24 Feb 2022 00:08:03 GMT

You may deploy certificates from any CA that you like.

Hosuk demonstrated the worlds fastest multi-node ISE deployment using a wildcard certificate from LetsEncrypt in our December ISE Webinar. 8-)

Automated ISE Setup with Infrastructure as Code Tools

37:08 Demo: Wildcard Certificate Request with Let's Encrypt

Demo Code: https://github.com/hosukw/Full_ISE_Terraform_Ansible_AWS

I think what you really are asking for is ACME protocol support directly in ISE and that is not there yet.

But the new ISE 3.1 Certificate APIs are the next best thing!

Re: ISE - CA Certificates about to expire

Arne Bier — Thu, 24 Feb 2022 00:26:26 GMT

oh boy how did I miss that webinar!!!?? It's amazing. Thanks. I will see if I can give that a try. We're not deploying any 3.1 yet or anywhere near AWS .. yet. But I am mostly interested in the certs techniques for now.

Re: ISE - CA Certificates about to expire

rg235 — Thu, 24 Feb 2022 08:03:51 GMT

Registered! Thank you!

Re: ISE - CA Certificates about to expire

rg235 — Thu, 24 Feb 2022 08:07:30 GMT

Thank you Mike, that helped a lot! System certs are not expiring anytime soon.