https://community.cisco.com/t5/network-access-control/cisco-ise-trusted-certificate-renewal/m-p/5371352#M599831 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1885457">@renzanjo-caparas</a>&nbsp;</P> <P>The Root CA is the CA that issues the intermediate CA(s). If it's only the intermediate CA(s) that is/are expiring, then you would not replace the Root CA - you would generate a new Intermediate CA from the existing Root CA.&nbsp; Of course, if your Root CA is going to expire soon, then you would have to replace the entire thing (Root + Intermediates). Perhaps that is what they meant.</P> <P>&nbsp;You can export that Root CA from ISE Trusted Certificates section.</P> <P>I tend to use openssl or XCA to test cert chains.&nbsp; If you only have a Windows PC, you can also import these certs (Root and Intermediate) on the PC and then click on them - the Windows cert viewer is quite handy to validate CA cert chains.</P> Thu, 19 Feb 2026 20:30:27 GMT Arne Bier 2026-02-19T20:30:27Z https://community.cisco.com/t5/network-access-control/cisco-ise-trusted-certificate-renewal/m-p/5371076#M599825 <P>Hi everyone,&nbsp;<BR /><BR />Good day and greetings!&nbsp;<BR /><BR />Our Intermediate CA will expire in 60 days. Somebody told me from the organization that I should renew the Root instead. But when I check the Hierarchy in Cisco ISE it is showing "Certificate is good"</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="renzanjocaparas_0-1771461705418.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/259889i0058C97B76A7EB52/image-size/medium?v=v2&amp;px=400" role="button" title="renzanjocaparas_0-1771461705418.png" alt="renzanjocaparas_0-1771461705418.png" /></span></P> <P>This Intermediate is the one we are really planning to renew</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="renzanjocaparas_1-1771461733694.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/259890iA88C5BCD9665C1A5/image-size/medium?v=v2&amp;px=400" role="button" title="renzanjocaparas_1-1771461733694.png" alt="renzanjocaparas_1-1771461733694.png" /></span></P> <P>Two questions I have:</P> <P>1. Is he correct?</P> <P>2. Where can i export that Root CA to verify this chain?</P> <P>Regards!</P> Thu, 19 Feb 2026 00:43:46 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-trusted-certificate-renewal/m-p/5371076#M599825 renzanjo-caparas 2026-02-19T00:43:46Z https://community.cisco.com/t5/network-access-control/cisco-ise-trusted-certificate-renewal/m-p/5371352#M599831 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1885457">@renzanjo-caparas</a>&nbsp;</P> <P>The Root CA is the CA that issues the intermediate CA(s). If it's only the intermediate CA(s) that is/are expiring, then you would not replace the Root CA - you would generate a new Intermediate CA from the existing Root CA.&nbsp; Of course, if your Root CA is going to expire soon, then you would have to replace the entire thing (Root + Intermediates). Perhaps that is what they meant.</P> <P>&nbsp;You can export that Root CA from ISE Trusted Certificates section.</P> <P>I tend to use openssl or XCA to test cert chains.&nbsp; If you only have a Windows PC, you can also import these certs (Root and Intermediate) on the PC and then click on them - the Windows cert viewer is quite handy to validate CA cert chains.</P> Thu, 19 Feb 2026 20:30:27 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-trusted-certificate-renewal/m-p/5371352#M599831 Arne Bier 2026-02-19T20:30:27Z https://community.cisco.com/t5/network-access-control/cisco-ise-trusted-certificate-renewal/m-p/5371384#M599832 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/158532">@Arne Bier</a>&nbsp;,</P> <P>Thank you very much for your feedback. Is this what you meant for exporting? Will this also export the root CA? When exported, it is a PEM file. Sorry I am not much good on certificates.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="renzanjocaparas_0-1771546134221.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/259951iC8EB13675568DB27/image-size/medium?v=v2&amp;px=400" role="button" title="renzanjocaparas_0-1771546134221.png" alt="renzanjocaparas_0-1771546134221.png" /></span></P> <P>&nbsp;</P> Fri, 20 Feb 2026 00:09:35 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-trusted-certificate-renewal/m-p/5371384#M599832 renzanjo-caparas 2026-02-20T00:09:35Z https://community.cisco.com/t5/network-access-control/cisco-ise-trusted-certificate-renewal/m-p/5371404#M599833 <P>Yep - that's the one. It will export the trusted certificate (which is a public cert - no private key involved etc.) - you can rename that file to .crt in Windows and then click on it - it will display the cert details.&nbsp; Or you can also install it in your Windows profile.</P> <P>I tend to use openssl mostly for this.</P> Fri, 20 Feb 2026 03:43:39 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-trusted-certificate-renewal/m-p/5371404#M599833 Arne Bier 2026-02-20T03:43:39Z