cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

233
Views
10
Helpful
4
Replies
Cisco Employee

[ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

Hi Expert,

 

I'd like to know how to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

My customer is using the ISE V2.3.7 and they said the above certificate will be expired on Feb 08, 2020 so they want to renew it before it expires.

Does anyone know what this certificate is for? From my checking, I couldn't find any related guide for that.

 

Thank in advance.

Jihye.

 

#Trusted Certificates

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advocate

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

Hi @Jihye Han 

 

Certificates in the ISE Trusted Certificates are public certificates. Users do not (and cannot) renew these certificates. If users don't know why a certain certificate is in the Trusted Certificates store in ISE, then you should ignore them. Once they have expired, delete them. Cisco put those certs there but the list is far from complete. Cisco only chose to put a few Root CA certs into ISE but you can install all manner of CA certs (public or private CA's).

 

Certs in the Trusted Cert store are there to allow ISE to perform checks on the validity of certs that it encounters, potentially signed by those CA's in the Trusted Store. But regardless of that, once those trusted certs have expired, they are useless - delete them.

 

regards

Arne

View solution in original post

4 REPLIES 4
Highlighted
VIP Advocate

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

Hi @Jihye Han 

 

Certificates in the ISE Trusted Certificates are public certificates. Users do not (and cannot) renew these certificates. If users don't know why a certain certificate is in the Trusted Certificates store in ISE, then you should ignore them. Once they have expired, delete them. Cisco put those certs there but the list is far from complete. Cisco only chose to put a few Root CA certs into ISE but you can install all manner of CA certs (public or private CA's).

 

Certs in the Trusted Cert store are there to allow ISE to perform checks on the validity of certs that it encounters, potentially signed by those CA's in the Trusted Store. But regardless of that, once those trusted certs have expired, they are useless - delete them.

 

regards

Arne

View solution in original post

Cisco Employee

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

Hi Arne,

 

Thank you for the great explanations.

I fully understood.

 

Best Regards,

Jihye.

Cisco Employee

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

I do not think this still in-use so should be safe to delete. It was imported earlier for one of our feed services because either cisco.com or ise.cisco.com or perfigo.com used to use certificates issued by that CA.

Cisco Employee

Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.


@Arne Bier wrote:

Hi @Jihye Han 

 

Certificates in the ISE Trusted Certificates are public certificates. Users do not (and cannot) renew these certificates. If users don't know why a certain certificate is in the Trusted Certificates store in ISE, then you should ignore them. Once they have expired, delete them. Cisco put those certs there but the list is far from complete. Cisco only chose to put a few Root CA certs into ISE but you can install all manner of CA certs (public or private CA's).

 

Certs in the Trusted Cert store are there to allow ISE to perform checks on the validity of certs that it encounters, potentially signed by those CA's in the Trusted Store. But regardless of that, once those trusted certs have expired, they are useless - delete them.

 

regards

Arne


TRUE! also Cisco will update any roots that are critical to its needs on ISE in a patch when coming close to renewal time. Another reason to keep things fresh :)