Solved: Can I keep the using the default self signed certificate for PEAP?

dan hale · ‎01-29-2019

Hi, I posted a similar question about certificates but, this is more of do I need to have the EAP CSR signed....

I have a small ISE 2.4 install with Windows 10 clients. On the client side in windows we are not checking the "validate server certificate". I know this is necessarily not secure. If that is the case do I still need to generate a CSR and get the EAP certificate signed by a CA? Can I just leave it binded to the default self signed certificate if I'm not validating it in windows?

Thanks,

Dan

Arne Bier · ‎01-29-2019

You can use the default self-signed ISE cert for the EAP role. But I would still create a new CSR for a self-signed cert and make it valid for 5 years or so. Because out of the box, ISE certs are only valid for 1 year. Just do it now and save yourself the toruble later on. Remember that the EAP cert can be handled separately from the other roles like Admin, Web Portals etc. Creating a new EAP cert won't restart any services.

View solution in original post

Arne Bier · ‎01-29-2019

You can use the default self-signed ISE cert for the EAP role. But I would still create a new CSR for a self-signed cert and make it valid for 5 years or so. Because out of the box, ISE certs are only valid for 1 year. Just do it now and save yourself the toruble later on. Remember that the EAP cert can be handled separately from the other roles like Admin, Web Portals etc. Creating a new EAP cert won't restart any services.