topic Renew Self Signed Certificate on ISE in Network Access Control

Renew Self Signed Certificate on ISE

NaujEl — Mon, 03 Jun 2024 04:17:34 GMT

Hi,

I need help renewing a self-signed certificate on a customer's ise. They have a self-signed certificate that is used for admin and EAP authentication, and I've been seeing that there's a Renewal Period option for these types of certificates. My question is if I update this certificate with that option, will all clients who have that certificate also be updated? Or do I need to upgrade by GPO or one by one.

I was looking at changing that certificate to one signed by an external CA like DigiCert, but I'm not sure if this avoids the problem of propagating the certificate.

Re: Renew Self Signed Certificate on ISE

balaji.bandi — Mon, 03 Jun 2024 06:30:09 GMT

do I need to upgrade by GPO or one by one.

If the same CA and clients know about that root CA that should be ok, if you are using new CA then Client should trust that cert also. (so you need to push this certs to client to trust using GPO or any other method) - ISE do not push certs to clients as per i kn0w).

for EAP if the certificate server is new you need to push all the clients before you update on ISE so client can trust that cert.

Sure you can use Public Certs, so client do not need to have CA certs on client, since client know publics CA already know.

check this if you looking to public or own PKI :

https://community.cisco.com/t5/security-knowledge-base/using-let-s-encrypt-certificates-with-cisco-ise/ta-p/5090885

If you have more PSN - you can do testing one PSN at a time binding the certs.

Re: Renew Self Signed Certificate on ISE

Arne Bier — Mon, 03 Jun 2024 07:01:22 GMT

Renewing an ISE self-signed cert does very little to the cert - it changes only the valid from and valid to dates, and then the signature hash is regenerated. Serial number of the cert remains the same. End clients would not know the difference between old and new.