Currently upgrading from ISE 2.7 to 3.2 certificate -Different Root CA

craiglebutt · ‎09-11-2023

2 ISE deployments with different System certificates.

The original deployment was built with System certificate using RootCA Sha1 this has been in place all the way to 2.7.

Now the new 3.2 deployment system certificate as a new root and intermediate certificate sha 256 issued by a different ROOT CA

Both Root CA have different CN

We use Intune for our mobile endpoints, we can add both root certificates in the trusted certificates for IOS device, but can only have 1 trusted certificate for Android.

If we push out 2 wifi polices to the android, 1 policy using the Sha1 root and a second 1 to Sha256 Root to the same SSID.

Will the old deployment on Sha 1 seamlessly allow the devices to connect as has a sha 1 pki certificate with no issues and will the new deployment all to connected seamlessly with the sha 256 intermediate pki.

There is no MDM attached to this, just trusting certificates (at the minute)

All certificates are on both Deployments, our laptops are working, IOS devices are on as the intune policy allows multiple trusted certificates.

Greg Gibbs · ‎09-11-2023

What type of Android Configuration Profile are you using? Is this an issue due to the lack of support for 'Android device administrator' enrolled devices?

If not, what happens when you try to use more than one Configuration Profile for Trusted Certificate on the Android devices?

If you are unable to install the Trusted Root chain for both clusters, it likely will not work as the endpoint needs to trust the EAP certificate presented by the ISE PSN. You would either need to solve the issue with the Android certificate profiles or replace the EAP certificate on the 2.7 PSNs with one signed by the new root chain.