cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.4 Patch 7 is available! View the ISE 2.4 Release Notes and Download!

Choose one of the topics below for ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

231
Views
5
Helpful
5
Replies
Highlighted
Enthusiast

ISE Certificates

Hi. 

There are 4 certificates under "Certificate Authority Certificates" menu which are Root, OCSP, Node and Endpoint. The validity period of these certificates is as long as 10 years (it shows 2029 as the expiration date).

 

Also by default there are a system certificate under "System Certificates" which is used for Admin, EAP Authentication, DTLS and Portals. The validity period of this certificate is as long as 1 year (it shows 2020 as the expiration date)

 

With these in mind, I think the system certificate used by ISE in EAP Authentication will expire in a year. Customer asked us to increase its validity period to 10 years, so they won't have to deal with expired certificate on 802.1x process after a year.

I know that using CSR menu on ISE GUI I can create a signing request and sign it with external CA. But how it is done as I want to use ISE internal CA instead to sign this new request and extend its validity period to 10 years? And at the first place why does the default self-signed system certificate on ISE has been set to be valid just for a single year despite that the Root CA certificate on the ISE valid for 10 years?

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Engager

Re: ISE Certificates

That is a normal CA setup.  The root and Sub CAs usually have long lived certificates as they are used to issue and validate a chain of trust.  The actual certificates issued to end devices/clients have a much lower expiry time, typically in the 1-2 year range.  I don't believe any of the public CA providers do more than 2 years at this point. 

 

Your customer wants to use the internal ISE CA issued cert for EAP authentication and portals?  Have you explained to them that no one trusts the ISE internal CA and will get certificate warnings unless you turn off server validation (not a good idea) or distribute the ISE root CA cert to the clients' trusted root CA store?  The only thing I use the ISE internal CA cert for is pxGrid.

 

At this point if you client really doesn't care about certificates, you could just generate a self-signed certificate with a 15 year expiry and use that for everything.  If you want to use the ISE internal CA you can make a new template under the Certificate Template screen that has an expiry of up to 10 years and issue certs from that template.  Again none of this would I ever recommend to a customer.

5 REPLIES 5
VIP Engager

Re: ISE Certificates

That is a normal CA setup.  The root and Sub CAs usually have long lived certificates as they are used to issue and validate a chain of trust.  The actual certificates issued to end devices/clients have a much lower expiry time, typically in the 1-2 year range.  I don't believe any of the public CA providers do more than 2 years at this point. 

 

Your customer wants to use the internal ISE CA issued cert for EAP authentication and portals?  Have you explained to them that no one trusts the ISE internal CA and will get certificate warnings unless you turn off server validation (not a good idea) or distribute the ISE root CA cert to the clients' trusted root CA store?  The only thing I use the ISE internal CA cert for is pxGrid.

 

At this point if you client really doesn't care about certificates, you could just generate a self-signed certificate with a 15 year expiry and use that for everything.  If you want to use the ISE internal CA you can make a new template under the Certificate Template screen that has an expiry of up to 10 years and issue certs from that template.  Again none of this would I ever recommend to a customer.

Enthusiast

Re: ISE Certificates

just supposing that we have decided to increase the validity period of the system certificate on ISE which has one-year validity by default, what will be done on expiration date of that certificate? Does ISE renew its self-signed server certificate which is used for EAP Authentication before expiration date or we need to regenerate a new system certificate before expiration date manually?

 

my regards;

VIP Engager

Re: ISE Certificates

You will need to manually refresh the ISE certificate.


Cisco Employee

Re: ISE Certificates

No appliance will automatically renew certificates. That is counter intuitive to security.

-Krishnan
Enthusiast

Re: ISE Certificates

@kthiruve Do you mean that we won't need to manually renew the ISE self-signed system certificates used for EAP-authentication, portal, RADIUS, etc at all?