05-19-2020 08:15 AM
I have received a request from a client that they want to renew ISE certificates which are about to expire, unfortunately, they are new to the environment so they don't know much, I asked what are these certificate used for but they don't know, they even don't know how these certificates were signed the first time.
So, how do I know what are these certificates used for?
and how to renew these certificates?
and is there a way to figure out how these certificates were signed? is it important to know?
I attached a screenshot of the certificates.
05-19-2020 09:42 AM - edited 05-19-2020 09:44 AM
So, how do I know what are these certificates used for?
Your screenshot depicts that those are certs in the ISE Trust store which are managed under Administration->System->Certificate Management->Trusted Certificates. If they were ISE System Certs they would be located under System Certificates.
You can see what the cert is configured to be used for on the Trusted Cert page. If you edit a Trusted Cert, go to Usage section, The options are as follows:
-Trust for authentication within ISE - check this box if the certificate is used for trust within ISE, such as for secure communication between ISE nodes.
-Trust for client authentication and Syslog - check this box if the certificate is to be used for authentication of endpoints that contact ISE over the EAP protocol. Also check this box if certificate is used to trust a Syslog server. (Note: this check box is enabled only if the Trust for authentication within ISE box has been checked.) Make sure to have keyCertSign bit asserted under KeyUsage extension for this certificate.
-Trust for authentication of Cisco Services - check this box if the certificate is to be used for trusting external Cisco services, such as Feed Service.
and how to renew these certificates?
-If you need the updated/newer certs you should be able to receive them from the corresponding issuer/provider.
and is there a way to figure out how these certificates were signed? is it important to know?
The screenshot depicts who issued the cert so this tells you the issuer and who is responsible for signing. See column <Issued By>.
HTH!
05-20-2020 12:21 AM
Thank you very much.
And should I renew these certificates the normal way?
Like, Generating CSR on the ISE, sign the certificate and import it to the ISE and bind it? Or is there another method for these certificates?
05-20-2020 05:48 AM
05-20-2020 03:35 PM
Most likely both of these certs were imported at one point because a certificate used by ISE on the system certificate screen was issued by these CAs. I am dealing with that Addtrust CA expiring at one of my customers. You can't renew those certs like you would renew other certs, they are public CA certs most likely that you need to get an updated CA cert from the provider. You will probably need to update the system cert that was issued by that CA as well.
If you look on the system certificate screen and dont' see any certs with those CA certs in their chain you most likely can just delete them from the trusted cert screen. They could used for other reasons, like MDM integrations or TCNAC but most likely system certificates.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide