Cisco ISE Certificate renewal

MohamedSamer47595 · ‎05-19-2020

I have received a request from a client that they want to renew ISE certificates which are about to expire, unfortunately, they are new to the environment so they don't know much, I asked what are these certificate used for but they don't know, they even don't know how these certificates were signed the first time.

So, how do I know what are these certificates used for?

and how to renew these certificates?

and is there a way to figure out how these certificates were signed? is it important to know?

I attached a screenshot of the certificates.

Mike.Cifelli · ‎05-19-2020

So, how do I know what are these certificates used for?
Your screenshot depicts that those are certs in the ISE Trust store which are managed under Administration->System->Certificate Management->Trusted Certificates. If they were ISE System Certs they would be located under System Certificates.
You can see what the cert is configured to be used for on the Trusted Cert page. If you edit a Trusted Cert, go to Usage section, The options are as follows:
-Trust for authentication within ISE - check this box if the certificate is used for trust within ISE, such as for secure communication between ISE nodes.
-Trust for client authentication and Syslog - check this box if the certificate is to be used for authentication of endpoints that contact ISE over the EAP protocol. Also check this box if certificate is used to trust a Syslog server. (Note: this check box is enabled only if the Trust for authentication within ISE box has been checked.) Make sure to have keyCertSign bit asserted under KeyUsage extension for this certificate.
-Trust for authentication of Cisco Services - check this box if the certificate is to be used for trusting external Cisco services, such as Feed Service.
and how to renew these certificates?
-If you need the updated/newer certs you should be able to receive them from the corresponding issuer/provider.
and is there a way to figure out how these certificates were signed? is it important to know?
The screenshot depicts who issued the cert so this tells you the issuer and who is responsible for signing. See column <Issued By>.
HTH!

MohamedSamer47595 · ‎05-20-2020

Thank you very much.

And should I renew these certificates the normal way?

Like, Generating CSR on the ISE, sign the certificate and import it to the ISE and bind it? Or is there another method for these certificates?

Mike.Cifelli · ‎05-20-2020

And should I renew these certificates the normal way?
Like, Generating CSR on the ISE, sign the certificate and import it to the ISE and bind it? Or is there another method for these certificates?
-If the certificates are ISE system certificates then yes you would generate the CSR, submit the CSR to your internal/3rd party CA, and bind it to services. However, as mentioned earlier that picture depicts that those certs are not ISE system certs. Please see this link as it should help answer additional concerns:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_0111.html?referring_site=RE&pos=1&page=https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_...
HTH!

paul · ‎05-20-2020

Most likely both of these certs were imported at one point because a certificate used by ISE on the system certificate screen was issued by these CAs. I am dealing with that Addtrust CA expiring at one of my customers. You can't renew those certs like you would renew other certs, they are public CA certs most likely that you need to get an updated CA cert from the provider. You will probably need to update the system cert that was issued by that CA as well.

If you look on the system certificate screen and dont' see any certs with those CA certs in their chain you most likely can just delete them from the trusted cert screen. They could used for other reasons, like MDM integrations or TCNAC but most likely system certificates.