topic Re: Microsoft Azure TLS Issuing CA certificate expire in Cisco ISE in Network Access Control

Microsoft Azure TLS Issuing CA certificate expire in Cisco ISE

Ariel_DF — Thu, 30 May 2024 11:58:48 GMT

Hello everyone,
We have these Azure certificates installed on a Cisco ISE server, to support the MDM integration:
Microsoft Azure TLS Issuing CA 01
Microsoft Azure TLS Issuing CA 02
Microsoft Azure TLS Issuing CA 05
Microsoft Azure TLS Issuing CA 06

ISE is reporting that these certificates will expire in 32 days. I've tried to locate the new certificates but without success.
Anyone else has happened?? Would you know of any solution?

Thanks!!

Re: Microsoft Azure TLS Issuing CA certificate expire in Cisco ISE

Mark Elsen — Thu, 30 May 2024 13:45:40 GMT

- FYI : https://learn.microsoft.com/en-us/answers/questions/1638370/when-will-microsoft-azure-tls-issuer-be-updated-(e
Scroll down to the Accepted Answer ,

Re: Microsoft Azure TLS Issuing CA certificate expire in Cisco ISE

Greg Gibbs — Fri, 31 May 2024 09:19:49 GMT

https://techcommunity.microsoft.com/t5/azure-storage-blog/azure-storage-tls-changes-intermediate-certificate-renewals/ba-p/3929149

Re: Microsoft Azure TLS Issuing CA certificate expire in Cisco ISE

Ariel_DF — Mon, 03 Jun 2024 07:49:42 GMT

Thanks for the response, I'm going to try to load those certificates to see if everything works OK.

Re: Microsoft Azure TLS Issuing CA certificate expire in Cisco ISE

Greg Gibbs — Tue, 04 Jun 2024 22:08:34 GMT

Actually, an update on this... as per the most recent updates to this MS document, the certificate rotation for the API endpoints used for the Compliance Retrieval (NAC 2.0) API have resulted in ISE only needing to trust the DigiCert Global Root G2 CA certificate for the MDM lookups to work.

"Network Access Control (NAC) note

For all Network Access Control (NAC) scenarios, when using a 3^rd party provider such as Cisco, please be sure your NAC provider has validated their root CA config. They should have how to do this documented, but in case they don’t:

Add DigiCert Global Root G2 to their trusted CA store.
For some providers, they many need to validate the configuration and update as needed.
Confirm your network can receive traffic so that the configuration can be pushed down to individual ISE boxes.
For some providers note that it can take time for updates to be distributed."

My guess is that MS fixed something in the way the certificate signing or chain was done in the past.

I removed all of the MS TLS and MS RSA TLS certs from my ISE instance and the Intune MDM lookups still work as expected. Only if I delete the DigiCert Global Root G2 CA certificate, can I make the lookups fail. This is actually how one would expect the trust to properly work.

Re: Microsoft Azure TLS Issuing CA certificate expire in Cisco ISE

Ariel_DF — Wed, 05 Jun 2024 08:04:21 GMT

Hello Greg,

I had seen this a few days ago, but I had doubts because of what it says in this link:

https://techcommunity.microsoft.com/t5/azure-storage-blog/azure-storage-tls-changes-intermediate-certificate-renewals/ba-p/3929149

We have yet to define a work window outside of business hours to do this, but what you mentioned has been of great help to me.

Thanks!!

Re: Microsoft Azure TLS Issuing CA certificate expire in Cisco ISE

craiglebutt — Fri, 21 Jun 2024 07:57:04 GMT

Hi, I remember settring these certs up agaes ago, to clarify this is for just the MDM part for ISE? If ISE is not carrying out the MDM, we don't need to bothere about this?

Cheers

Re: Microsoft Azure TLS Issuing CA certificate expire in Cisco ISE

Greg Gibbs — Fri, 21 Jun 2024 22:55:10 GMT

@craiglebutt... correct. Also, I believe the Digicert Global Root G2 CA cert is installed in the Trust Store by default in more recent versions of ISE as it likely signs other public certs as well.