cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6917
Views
10
Helpful
4
Replies

CISCO ISE 2.4 Alarm about expiration certificate (SAML)

Nadia Bbz
Level 1
Level 1

Hey Dear ;

 

Trust certificate 'Default self-signed server certificate' will expire soon

we would like to know what  does mean usage for SAML,  and to know if this certificate is really used in my case and how to renew it.

 

Alarm Name :

Certificate Expiration

 

Details :

 Trust certificate 'Default self-signed server certificate' will expire in 60 days : Server=SRP-01-CISE010

 

Description :

This certificate will expire soon.  When it expires, ISE may fail when attempting to establish secure communications with clients.  Inter-node communication may also be affected

 

Severity :

Warning

 

Suggested Actions :

Replace the certificate.  For a trust certificate, contact the issuing Certificate Authority (CA).  For a CA-signed local certificate, generate a CSR and have the CA create a new certificate.  For a self-signed local certificate, use ISE to extend the expiration date. You can just delete the certificate if it is no longer used

 

Thanks for help

 

1 Accepted Solution

Accepted Solutions

Hey @Arne Bier  ,

Thanks so much for helping me , I greatly appreciate it.

it's possible to renew certificate just to check the box renewal period and put 10 years or 5 years like the picture below

self signed.JPG

i have another certificate that will expired soon, should i apply the same method to solve it 

self signed certificate.JPG

 

thanks for help

 

View solution in original post

4 Replies 4

Arne Bier
VIP
VIP

Hi @Nadia Bbz 

 

I implement my own best practice for these situations: any cert that is not required on my customers' nodes is given a 10 year self-signed cert, to ensure that they don't get any expiration notices for certs they don't need. 10 years is the max - but by then I would assume the system would have been rebuilt anyway.

 

Under System Certs, generate a new self-signed cert to replace the current cert. Let's say you want to replace the SAML cert.

self-signed.PNG

 

 

 

 

 

 

Hey @Arne Bier  ,

Thanks so much for helping me , I greatly appreciate it.

it's possible to renew certificate just to check the box renewal period and put 10 years or 5 years like the picture below

self signed.JPG

i have another certificate that will expired soon, should i apply the same method to solve it 

self signed certificate.JPG

 

thanks for help

 

Hello @Nadia Bbz 

 

I learned something new! Thank you. I have never used that renew self cert button button. It does exactly what it says. For self-signed certs it seems you can either create a new one and delete the old one, or simply use the renew feature.

Here's the difference between creating a new cert, and renewing a cert:

  1. Create New Cert: creates a new Cert Serial Number - calculate new cert Fingerprint (hash)
  2. Renew Cert: Maintain same Serial Number and update the Validity period - calculate new cert Fingerprint (hash)

 

regards

Arne

Good notes here - thanks for posting.  Potential issue avoided!