Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11699
Views
0
Helpful
4
Replies

Cisco ISE Admin and EAP certificate renewal

Go to solution
Johannes Luther
Level 4
Level 4

‎02-23-2015 11:07 PM - edited ‎03-10-2019 10:29 PM

Hi board,

maybe I'm asking a rather dumb question here, but anyway :)

I'm currently thinking about how to renew an admin/EAP certificate on an ISE node and the effect on the endpoint authentication.

 

Here's the thing I do, when I initially install an ISE node

1.) CSR creation on ISE (PAN) - CN=$FQDN$ and SAN="fqdn as well"

2.) Sign CSR and bind certificate on ISE node - done

 

Now after 10 month or so (if the certificate is valid for one year) I want to renew the ISE admin/EAP certificate.

CSR creation: I cannot use the $FQDN$ as the CN, because there is still the current certificate (CN must be unique in the store, right?)

 

So what to do now? Do I really need to create a temporary SSC and make it the admin/EAP certificate, delete the current certificate and then create a new CSR? There must be a better and more important non-disruptive way of doing this.

 

How do you guys do this in your deployments?

 

Thanks in advance and sorry again if this is a silly question.

 

Johannes

 

 

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mohanak
Cisco Employee
Cisco Employee

‎02-24-2015 12:43 AM

you can install a new certificate on the ISE before it is active, Cisco recommends that you install the new certificate before the old certificate expires. This overlap period between the old certificate expiration date and the new certificate start date gives you time to renew certificates and plan their installation with little or no downtime. Once the new certificate enters its valid date range, enable the EAP and/or HTTPS protocol. Remember, if you enable HTTPS, there will be a service restart

Certificate Renewal on Cisco Identity Services Engine Configuration Guide

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116977-technote-ise-cert-00.html

View solution in original post

0 Helpful
4 Replies 4

Go to solution
mohanak
Cisco Employee
Cisco Employee

‎02-24-2015 12:43 AM

you can install a new certificate on the ISE before it is active, Cisco recommends that you install the new certificate before the old certificate expires. This overlap period between the old certificate expiration date and the new certificate start date gives you time to renew certificates and plan their installation with little or no downtime. Once the new certificate enters its valid date range, enable the EAP and/or HTTPS protocol. Remember, if you enable HTTPS, there will be a service restart

Certificate Renewal on Cisco Identity Services Engine Configuration Guide

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116977-technote-ise-cert-00.html

0 Helpful

Go to solution
Johannes Luther
Level 4
Level 4
In response to mohanak

‎02-24-2015 07:41 AM

Thanks for that! I did something wrong or something weird happended during the CSR generation on the ISE. Of course I can create a new CSR with the same subject as an existing certificate.

Sorry about that...

0 Helpful

Go to solution
Peter Koltl
Level 7
Level 7
In response to Johannes Luther

‎03-31-2015 01:27 PM

Why do you need SAN="fqdn as well"?

Is there a condition where Subject CN match is not enough?

0 Helpful

Go to solution
Freemen
Level 1
Level 1
In response to mohanak

‎08-20-2018 06:58 PM

Hi, mean if I am using CA sign cert, as long as the root cert is present at all the ISE trusted store. this is the 1st step.

and then when the cert almost expired, eg 2week early, i activate the new cert, and that is downtime as the ISE server need to restart service so i need to plan for down time for all the ISE node.

end.

Please advise if my understand is correct.
0 Helpful
Customers Also Viewed These Support Documents