topic Re: Renew Default self-signed server certificate Cisco ISE 2.7 in Network Access Control

Renew Default self-signed server certificate Cisco ISE 2.7

iVicMMac — Fri, 17 Jan 2025 23:37:36 GMT

Hello,

Our Default self-signed server certificates are about to expire, so I need to know if is possible to renew them manually editing them on this way without breaking the cluster.

Certificate to renew:

Deployment, 1 prim admin, 1 prim monitoring

ISE version 2.7

Thanks in advance

Re: Renew Default self-signed server certificate Cisco ISE 2.7

Mark Elsen — Sat, 18 Jan 2025 07:40:01 GMT

- FYI : https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217191-configuration-guide-to-certificate-renew.html
https://community.cisco.com/t5/security-knowledge-base/how-to-implement-digital-certificates-in-ise/ta-p/3630897

Re: Renew Default self-signed server certificate Cisco ISE 2.7

Rob Ingram — Sat, 18 Jan 2025 10:35:38 GMT

@iVicMMac refer to the ISE certificate renewal guide already provided. Bear in mind when you replace the "admin" certificate the ISE services will restart. Ideally you should use your internal CA to sign the certificates.

FYI, ISE 2.7 is End of Life and End of Support, you should look to upgrade asap. ISE 3.3 patch 4 is the current Cisco recommended version.

Re: Renew Default self-signed server certificate Cisco ISE 2.7

Aref Alsouqi — Sat, 18 Jan 2025 12:33:52 GMT

Yes you can renew that self-signed certificate by leveraging the "Renewal Period" feature. When you enable that tick box then you will have to define the period in which the certificate should be renewed before its expiry date.

Re: Renew Default self-signed server certificate Cisco ISE 2.7

Marcelo Morais — Sun, 19 Jan 2025 17:52:19 GMT

Hi @iVicMMac ,

please take a look at ISE - Queue Link Error, search for Generate Signing Requests (CSR).

Hope this helps !!!

Re: Renew Default self-signed server certificate Cisco ISE 2.7

iVicMMac — Fri, 24 Jan 2025 16:05:18 GMT

Thank for your answer, should I renew first the primary or secondary? take in count that we have different certificates for each box

Re: Renew Default self-signed server certificate Cisco ISE 2.7

Aref Alsouqi — Sat, 25 Jan 2025 12:49:57 GMT

You're welcome. Why different certificates? both nodes are in the same deployment right? when you configure the option to renew the self-signed certs it would configured from the primary PAN and it would apply to the deployment not the individual nodes. So, when you do it from there you should be good to go with both nodes.

Re: Renew Default self-signed server certificate Cisco ISE 2.7

iVicMMac — Sat, 25 Jan 2025 13:20:24 GMT

thanks, I don't know why we have 2 different certificates, I received these boxes in this way, however I'll start with the renewal of the primary admin and hope it apply it to the secondary

Re: Renew Default self-signed server certificate Cisco ISE 2.7

Aref Alsouqi — Sat, 25 Jan 2025 15:19:41 GMT

Actually because they are self-signed certs it would make sense to have them different because each node would have generated its own certificate, but anyway, changing the renewal config would apply to both and you should be good with both of them.

Re: Renew Default self-signed server certificate Cisco ISE 2.7

iVicMMac — Mon, 27 Jan 2025 15:14:26 GMT

Just FYI,

Certificates renewed from the primary admin node and it replicated to the secondary, only 5 minutes of downtime due the restart of ISE application for both boxes. Duration for the renewed certificates: 10 years

Re: Renew Default self-signed server certificate Cisco ISE 2.7

Aref Alsouqi — Tue, 28 Jan 2025 09:12:00 GMT

Thanks for sharing the outcome and glad to hear it worked as expected.