cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19510
Views
50
Helpful
20
Replies

[ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

Jihye Han
Cisco Employee
Cisco Employee

Hi Expert,

 

I'd like to know how to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

My customer is using the ISE V2.3.7 and they said the above certificate will be expired on Feb 08, 2020 so they want to renew it before it expires.

Does anyone know what this certificate is for? From my checking, I couldn't find any related guide for that.

 

Thank in advance.

Jihye.

 

#Trusted Certificates

2 Accepted Solutions

Accepted Solutions

Arne Bier
VIP
VIP

Hi @Jihye Han 

 

Certificates in the ISE Trusted Certificates are public certificates. Users do not (and cannot) renew these certificates. If users don't know why a certain certificate is in the Trusted Certificates store in ISE, then you should ignore them. Once they have expired, delete them. Cisco put those certs there but the list is far from complete. Cisco only chose to put a few Root CA certs into ISE but you can install all manner of CA certs (public or private CA's).

 

Certs in the Trusted Cert store are there to allow ISE to perform checks on the validity of certs that it encounters, potentially signed by those CA's in the Trusted Store. But regardless of that, once those trusted certs have expired, they are useless - delete them.

 

regards

Arne

View solution in original post

Jason Kunst
Cisco Employee
Cisco Employee

Here is a list of information we will be putting into the official ISE admin guide . we are also hoping to have a more comprehensive listing after the thanksgiving holiday here in the U.S. I will update then

 

CSCvr90534 Doc: A Document for description of default imported Trusted Certificates is necessary 

 

Everything should be good here now! Take a look!

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0111.html#concept_wzh_vgl_bkb

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_0111.html#concept_wzh_vgl_bkb

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_admin_guide_27/b_ise_admin_guide_27_chapter_0111.html#concept_wzh_vgl_bkb

 

Do let me know if any further changes are required!

 

Problem statement

"VeriSign Class 3 Secure Server CA – G3" intermediate CA certificate that comes part of ISE by default in ISE for Cisco Services is expiring on Feb 2020.

The issuer of this certificate is "VeriSign Class 3 Public Primary Certification Authority - G5" and this Root CA is valid up to Wed, 16 Jul 2036. This Root CA certificate is trusted by default in ISE for Cisco Services.

Trusted for Cisco Services

"VeriSign Class 3 Secure Server CA – G3" is trusted for Cisco Services by default in ISE.

Cisco Services can be categorized to following items:

Posture, Profiler and Client Provisioning (Group 1). These are using a different certificate chain and not "VeriSign Class 3 Secure Server CA – G3".

Other trust configurations

  1. It is possible that following services can be internally using this trust certificate for third party verification.
    MDM, SMS, TC-NAC, pxGrid, and CRL/OCSP  (Group 2)
  2. It is possible that customer may have referred this certificate in system certificates, Secure syslog and Secure ldap (Group 3)

Guidelines to safely remove this certificate from ISE

Schedule a MW and follow the below guidelines to safely remove this certificate from ISE.

  1. As a first step, go ahead and export this certificate and keep it safe for future purpose. It can be imported back if any of the services in ISE breaks after deleting this certificate.
  2. Disable the certificate and check whether Group 1, 2 and 3 continue to work. Not all the customers use all the services. Test only the relevant services.
  3. Delete the certificate. The delete will not be allowed if certificate is referenced by Group 3. Make configuration changes to remove the references and then delete.
  4. Test Group1, 2 and 3 to make sure all the services continue to work.

View solution in original post

20 Replies 20

Arne Bier
VIP
VIP

Hi @Jihye Han 

 

Certificates in the ISE Trusted Certificates are public certificates. Users do not (and cannot) renew these certificates. If users don't know why a certain certificate is in the Trusted Certificates store in ISE, then you should ignore them. Once they have expired, delete them. Cisco put those certs there but the list is far from complete. Cisco only chose to put a few Root CA certs into ISE but you can install all manner of CA certs (public or private CA's).

 

Certs in the Trusted Cert store are there to allow ISE to perform checks on the validity of certs that it encounters, potentially signed by those CA's in the Trusted Store. But regardless of that, once those trusted certs have expired, they are useless - delete them.

 

regards

Arne

Hi Arne,

 

Thank you for the great explanations.

I fully understood.

 

Best Regards,

Jihye.

I do not think this still in-use so should be safe to delete. It was imported earlier for one of our feed services because either cisco.com or ise.cisco.com or perfigo.com used to use certificates issued by that CA.


@Arne Bier wrote:

Hi @Jihye Han 

 

Certificates in the ISE Trusted Certificates are public certificates. Users do not (and cannot) renew these certificates. If users don't know why a certain certificate is in the Trusted Certificates store in ISE, then you should ignore them. Once they have expired, delete them. Cisco put those certs there but the list is far from complete. Cisco only chose to put a few Root CA certs into ISE but you can install all manner of CA certs (public or private CA's).

 

Certs in the Trusted Cert store are there to allow ISE to perform checks on the validity of certs that it encounters, potentially signed by those CA's in the Trusted Store. But regardless of that, once those trusted certs have expired, they are useless - delete them.

 

regards

Arne


TRUE! also Cisco will update any roots that are critical to its needs on ISE in a patch when coming close to renewal time. Another reason to keep things fresh :)

Hello,

I currently have the same problem with a client, his "VeriSign Class 3 Secure Server CA - G3" certificate expires in February 2020. How do I know if he uses it? He would like to renew it, is it possible and how do we do it? According to your answer it is not possible to renew this certificate.

Hi

 

I suspect this is going to be a commonly asked question, because I also found this cert expiration warning on my ISE 2.4 system.

 

This cert was shipped with ISE, but since Cisco doesn't tell us why, it's anyone's guess. I may have seen mention things along the lines of, "ISE needed this cert back in the day to connect to Cisco Call Home, Smart Licensing, or Cisco Profiler Feed Service, or the BYOD Client Provisioning download feature etc." - all these features built into ISE that rely on a TLS connection to trust the end system. But this is a legacy cert and it doesn't appear to be needed for anything that ISE is doing internally.

As a proof point, I just deleted it and then tested all the "ISE Internet Services" that I could find - and they all still work.

 

Here's my advice. Before deleting this cert, export it through ISE GUI and then save the file somewhere in case you need it in the next 90 days before it expires. Once the cert has expired, it's no good to anyone. So then you may as well delete it. But if you want to prove to customer that deleting the cert won't break anything, then save a copy before deleting it. If something breaks then they can re-install it and then you'll know what it's for. It's highly unlikely that your customer needs this cert.

 

Also, there was one defect filed recently to have the details of these certificates documented. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr90534/?rfs=iqvred

Jason Kunst
Cisco Employee
Cisco Employee

Here is a list of information we will be putting into the official ISE admin guide . we are also hoping to have a more comprehensive listing after the thanksgiving holiday here in the U.S. I will update then

 

CSCvr90534 Doc: A Document for description of default imported Trusted Certificates is necessary 

 

Everything should be good here now! Take a look!

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0111.html#concept_wzh_vgl_bkb

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_0111.html#concept_wzh_vgl_bkb

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_admin_guide_27/b_ise_admin_guide_27_chapter_0111.html#concept_wzh_vgl_bkb

 

Do let me know if any further changes are required!

 

Problem statement

"VeriSign Class 3 Secure Server CA – G3" intermediate CA certificate that comes part of ISE by default in ISE for Cisco Services is expiring on Feb 2020.

The issuer of this certificate is "VeriSign Class 3 Public Primary Certification Authority - G5" and this Root CA is valid up to Wed, 16 Jul 2036. This Root CA certificate is trusted by default in ISE for Cisco Services.

Trusted for Cisco Services

"VeriSign Class 3 Secure Server CA – G3" is trusted for Cisco Services by default in ISE.

Cisco Services can be categorized to following items:

Posture, Profiler and Client Provisioning (Group 1). These are using a different certificate chain and not "VeriSign Class 3 Secure Server CA – G3".

Other trust configurations

  1. It is possible that following services can be internally using this trust certificate for third party verification.
    MDM, SMS, TC-NAC, pxGrid, and CRL/OCSP  (Group 2)
  2. It is possible that customer may have referred this certificate in system certificates, Secure syslog and Secure ldap (Group 3)

Guidelines to safely remove this certificate from ISE

Schedule a MW and follow the below guidelines to safely remove this certificate from ISE.

  1. As a first step, go ahead and export this certificate and keep it safe for future purpose. It can be imported back if any of the services in ISE breaks after deleting this certificate.
  2. Disable the certificate and check whether Group 1, 2 and 3 continue to work. Not all the customers use all the services. Test only the relevant services.
  3. Delete the certificate. The delete will not be allowed if certificate is referenced by Group 3. Make configuration changes to remove the references and then delete.
  4. Test Group1, 2 and 3 to make sure all the services continue to work.

Hi

 

Are there any validated, detaild information about the "VeriSign Class 3 Secure Server CA – G3"  Certificate?

As @Jason Kunst  mentioned,  It is "possible" that following services can be internally using this trust certificate.

How should customers and partners intepret this statement "possible"?

- Does not Cisco know if what exactly the different Trusted Certificates within ISE is used for- related to  PxGrid, TC-NAC and so on?

- or Is this something customers them selves can configure to use explicit for TC-NAC? - "How would this typically be done"

 

Somehow i intepret the answer as: "we have no clue what we are doing - but disable it and see what happends..."

 

 

 

 

as stated above we are going to provide a concise guide on this and put it in the admin guide, there is a defect to track

I would have expected a Cisco Field Notice for this since it affects every version of ISE I have come across - at least 2.2 and onwards.  (it’s even shipping in ISE 2.7)

 

Surely a patch would be released to remove this cert?

 

FYI: Another major Wireless vendor sent out a field notice today about this same issue. 

 


@Arne Bier wrote:

I would have expected a Cisco Field Notice for this since it affects every version of ISE I have come across - at least 2.2 and onwards.  (it’s even shipping in ISE 2.7)

 

Surely a patch would be released to remove this cert?

 

FYI: Another major Wireless vendor sent out a field notice today about this same issue. 

 


will see what we can do, for now the guidance is in the guides

Thanks Arne for your response on this! Wish there was a field notice from Cisco regarding this as it impacts all the ISE customers!

Hi, sorry for bugging, I have the same symptom , its gonna expire on Fri, 7, 2020,

What does it mean: it impacts all the ISE customers? will it affect the services?

sorry Im not following up

Im running a very old version though, 2.0.236

@ all

has anyone deleted and has encountered any issues?

can I delete it before expiration or should i just wait until it expires?


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: