https://community.cisco.com/t5/network-access-control/expired-system-certificate-cisco-ise/m-p/4846359#M582037 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/969432">@patrickbyrne456305724</a> replacing the "admin" certificate will result in restarting the ISE services. Replacing the other certificates does not result in restarting the services. Obviously for the EAP certificate you need to ensure the clients trust the ISE certificate, so use the same CA to issue the certificate and you should be fine.</P> <P>Here is a cisco guide to renew ISE certificates - <A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217191-configuration-guide-to-certificate-renew.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217191-configuration-guide-to-certificate-renew.html</A></P> <P>Once you've replaced the certificates and the old certificate is not in use, you can safely delete the certificate.</P> <P>&nbsp;</P> Wed, 31 May 2023 11:30:43 GMT Rob Ingram 2023-05-31T11:30:43Z https://community.cisco.com/t5/network-access-control/expired-system-certificate-cisco-ise/m-p/4846353#M582036 <P>Hi there,</P><P>We have a bunch of system Certificates expiring ASAP in a PAN failover depoyment (Primary &amp; Secondary)</P><P>Can you aid in the correct steps to carry out this work. Can you actually import the new certs whilst the others are active and then just delete them when new certs are active?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="patrickbyrne456305724_0-1685532037981.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/186104i641F5CAE844AAF50/image-size/medium?v=v2&amp;px=400" role="button" title="patrickbyrne456305724_0-1685532037981.png" alt="patrickbyrne456305724_0-1685532037981.png" /></span></P><P>I look forward to hearing back</P> Wed, 31 May 2023 11:22:06 GMT https://community.cisco.com/t5/network-access-control/expired-system-certificate-cisco-ise/m-p/4846353#M582036 patrickbyrne456305724 2023-05-31T11:22:06Z https://community.cisco.com/t5/network-access-control/expired-system-certificate-cisco-ise/m-p/4846359#M582037 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/969432">@patrickbyrne456305724</a> replacing the "admin" certificate will result in restarting the ISE services. Replacing the other certificates does not result in restarting the services. Obviously for the EAP certificate you need to ensure the clients trust the ISE certificate, so use the same CA to issue the certificate and you should be fine.</P> <P>Here is a cisco guide to renew ISE certificates - <A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217191-configuration-guide-to-certificate-renew.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217191-configuration-guide-to-certificate-renew.html</A></P> <P>Once you've replaced the certificates and the old certificate is not in use, you can safely delete the certificate.</P> <P>&nbsp;</P> Wed, 31 May 2023 11:30:43 GMT https://community.cisco.com/t5/network-access-control/expired-system-certificate-cisco-ise/m-p/4846359#M582037 Rob Ingram 2023-05-31T11:30:43Z https://community.cisco.com/t5/network-access-control/expired-system-certificate-cisco-ise/m-p/4846500#M582038 <P>Many thanks for response..If you add/import the new Certs to the Primary ISE node do they then automatically get onto the Secondary. Or, would you need to import onto Secondary first etc?</P> Wed, 31 May 2023 14:24:22 GMT https://community.cisco.com/t5/network-access-control/expired-system-certificate-cisco-ise/m-p/4846500#M582038 patrickbyrne456305724 2023-05-31T14:24:22Z https://community.cisco.com/t5/network-access-control/expired-system-certificate-cisco-ise/m-p/4846535#M582039 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/969432">@patrickbyrne456305724</a></P> <H3 id="ariaid-title42" class="title topictitle3 3H_Head3-F767EBB3">Bind a CA-Signed Certificate to a Certificate Signing Request</H3> <TABLE class="stepTable" border="0"> <TBODY> <TR id="ID776__step_C504B5F5F4F2474A9C13E5276DA7A1AC" class="li step"> <TD width="10%" align="left" valign="top"><STRONG>Step&nbsp;7</STRONG></TD> <TD align="left" valign="top"> <P class="ph cmd">(Optional) Check the services for which this certificate will be used in the <SPAN class="ph uicontrol">Usage</SPAN> area.</P> <SECTION class="itemgroup info">This information is autopopulated if you have enabled the <SPAN class="ph uicontrol">Usage</SPAN> option while generating the certificate signing request.<SPAN class="ph"> You can also choose to edit the certificate at a later time to specify the usage.</SPAN> <P class="p"><EM><STRONG>Changing the <SPAN class="ph uicontrol">Admin</SPAN> usage certificate on a primary PAN restarts the services on all the other nodes. The system restarts one node at a time, after the primary PAN restarts.</STRONG></EM></P> </SECTION> </TD> </TR> </TBODY> </TABLE> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_ise_manage_certificates.html#ID776" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_ise_manage_certificates.html#ID776</A></P> <P>Only the admin certificate initiates a restart of the ISE services.</P> <P>&nbsp;</P> Wed, 31 May 2023 14:57:36 GMT https://community.cisco.com/t5/network-access-control/expired-system-certificate-cisco-ise/m-p/4846535#M582039 Rob Ingram 2023-05-31T14:57:36Z