Solved: Cisco ISE CSR expiration

mlaurencik · ‎10-28-2020

Hello everyone,

when you create a CSR for new certificate, you see it listed in ISE (Admin-System-Certificates-Certficate Management-Certificate Signing Requests). Later on, when you receive new cert, you bind it to the CSR pending in system. I have question, if the pending CSR does expire/is deleted from ISE automatically after some time?

Real life experience: We need to renew cert so I need to create CSR and provide it to CA first. Due to some issues the process of obtaining new cert is pretty lengthy and it may take up to 3-4 months. I'm interested if I can create CSR now and then will find it on ISE even after such long time - or if there is any time after that the CSR will be deleted automatically if not bind.

thanks,

Martin

thomas · ‎11-07-2020

A certificate signing request is merely a set of identity claims waiting to be verified and literally certified.

They are not valid until bound to an actual certificate so it should not matter the age.

The certificate is what has an actual time validity.

View solution in original post

Aref Alsouqi · ‎10-28-2020

I've never waited for an issued certificate to be sent back for more than a few days, however, I don't think or never came across a documentation that would suggest removing the CSRs after a specific amount of time.

thomas · ‎11-07-2020

A certificate signing request is merely a set of identity claims waiting to be verified and literally certified.

They are not valid until bound to an actual certificate so it should not matter the age.

The certificate is what has an actual time validity.

joseponceiii · ‎12-20-2020

I don't experience that expiring on its own after a long time, however, I have seen this scenario during our upgrade from 2.6 to 2.7 wherein the CSR generated was lost after the upgrade. The thing is, we already have the signed certificate from CA and we can no longer bind it to the CSR/private key. Is there any way we can recover this so there's no need to generate a new CSR and re-issue the certificate from CA? I have the TAC case opened anyway but any inputs will be appreciated. Thanks!

mlaurencik · ‎12-21-2020

Hello, this happened to me few times, when ISE get into some troubles and I had to reinstall it. However I had only cert, without private key (I did not export it prior re-installation). So I think something similar happened to you too - I think you generated CSR, engaged CA to sign it (generate new cert) and in the meantime you upgraded ISE. Now, you have only the signed cert but no CSR you can bind it to ( and also no private key). From my experience, there is no other way to fix this than issue new CSR, use it to re-issue cert and bind the cert to CSR then.

The reason why you cannot install just cert now (without having a CSR) is that when you create CSR, there is also generated a private key which remains on the system. Then, when you have new cert issued, it is bind to that CSR (and also private key) present on the system. Then, to be on the safe side then, you can export both after binding it.

If you'd have the cert installed prior to upgrade, you could export it along with a private key and then install both of them back after the upgrade (without a need of having CSR). But this is not option now because again, you don't have the private key - you did not export it prior upgrade.

Good news is that all major CAs that issue certs, should have an admin interface where you simply upload CSR and re-issue cert, without paying or purchasing new cert. I mean - and this is important - once you have purchased the certificate before and the cert is still valid, you have a right to get the cert RE-ISSUED without any additional costs. I recommend you to get in touch with the person who has access to this admin interface of the CA, provide that person new CSR, so he/she can upload it and then re-issue cert. Again, my experience is I've never ever payed additional costs for this, as the cert was still valid. I just generated new CSR, uploaded it and the RE-ISSUED the cert.

joseponceiii · ‎12-21-2020

Hi, thanks. Yes, you are correct, private key is also part of that thing in the GUI which we need to bind. For some reason, after the upgrade it was gone and can't bind the new certificate anymore (should have done it before the upgrade). Anyway, it is what it is. We have just re-generated a new CSR and asked our server team to request the re-issuing of the new certificate - and yes, I believe this doesn't cost us any for the re-issue of the cert, unless I think you've revoked it and requested another. Thanks for the info btw.