Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2200
Views
10
Helpful
3
Replies

EAP Auth Intermediate Cert Renewal

Go to solution
Srinivasan Nagarajan
Level 1
Level 1

‎08-13-2020 10:15 AM

Hi Experts, We've small node (2) deployment with the same certificate used for Admin and EAP authentication where one of the Intermediate cert in the certificate hierarchy is about to expire.

 

Could you please let me know the process to renew the Intermediate certs..?

 

 

Root CA

---->Intermediate CA 1

-----> Intermediate CA 2 (About to expire)

----> Admin and EAP authentication cert

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎08-14-2020 04:26 PM

Hello @Srinivasan Nagarajan 

 

I assume the new Intermediate CA cert is already available to you?

And this is an internal PKI CA or from a public CA provider?

 

I would do the following:

Import the new Intermediate CA 2 cert into the ISE Deployment under Trusted Certs. This is not service affecting - it's done in preparation for the new ISE System Certs that you're about to start using Issued by the new CA2.

On ISE PAN, create a CSR (Certificate Signing Request) in ISE for a new Admin Cert and include both ISE nodes.

Then, create another CSR (Certificate Signing Request) in ISE for a new EAP Cert - and put ticks against both ISE nodes.

The reason I split EAP and Admin is so that you can treat them individually - changing an Admin cert always causes downtime (application restarts), whereas replacing the EAP cert causes no downtime. They might look similar in the end, but splitting them can have operational advantages. If cost is an issue, then create a multi-use cert instead to keep the number of certs low.

Send the CSR's to your PKI team and get the certs created. You should receive new certs back: Admin Cert for ISE1/2 and EAP Cert for ISE1/2

In a maintenance Window perform the Bind of Admin CSR for your Secondary ISE node by supplying the new Admin cert. This will cause the Secondary Admin node to restart - ensure it comes back with the new Admin cert by opening a browser to the Secondary node and inspecting the cert. You can of course also just check in the PAN GUI but I like to do both.

Now bind the Primary Admin's CSR with the new Admin cert. As always, applications will restart and eventually you will be able to log back into the GUI. That was the disruptive part.

Replace the EAP Cert only when your EAP clients (supplicants) are ready/prepared. Why? Because As soon as you replace the ISE EAP cert, it could affect the EAP clients that use ISE. If the clients are configured to trust ISE then your clients MUST have the NEW CA2 cert in their own trust store. So make sure they have that pushed to them via Group Policy (Windows) or via the MDM.

When you replace an ISE EAP cert it's not service affecting. You can only have ONE EAP cert per ISE node - it will replace the old one.

 

BTW - browser certs (ssl/https) should be generated with max life span of 1 year, since Apple and other browsers will start rejecting longer-living certs from 1 Sept 2020. You can still make them 2/3 years before then. This new rule only applies to certs that are created after (or VALID FROM) 1 Sept.

EAP certs can be longer than 1 year - depends on your security people - if you want to save yourself this hassle every year then make the cert live a bit longer.

  

 

Hope that helps.

regards

View solution in original post

3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎08-14-2020 04:26 PM

Hello @Srinivasan Nagarajan 

 

I assume the new Intermediate CA cert is already available to you?

And this is an internal PKI CA or from a public CA provider?

 

I would do the following:

Import the new Intermediate CA 2 cert into the ISE Deployment under Trusted Certs. This is not service affecting - it's done in preparation for the new ISE System Certs that you're about to start using Issued by the new CA2.

On ISE PAN, create a CSR (Certificate Signing Request) in ISE for a new Admin Cert and include both ISE nodes.

Then, create another CSR (Certificate Signing Request) in ISE for a new EAP Cert - and put ticks against both ISE nodes.

The reason I split EAP and Admin is so that you can treat them individually - changing an Admin cert always causes downtime (application restarts), whereas replacing the EAP cert causes no downtime. They might look similar in the end, but splitting them can have operational advantages. If cost is an issue, then create a multi-use cert instead to keep the number of certs low.

Send the CSR's to your PKI team and get the certs created. You should receive new certs back: Admin Cert for ISE1/2 and EAP Cert for ISE1/2

In a maintenance Window perform the Bind of Admin CSR for your Secondary ISE node by supplying the new Admin cert. This will cause the Secondary Admin node to restart - ensure it comes back with the new Admin cert by opening a browser to the Secondary node and inspecting the cert. You can of course also just check in the PAN GUI but I like to do both.

Now bind the Primary Admin's CSR with the new Admin cert. As always, applications will restart and eventually you will be able to log back into the GUI. That was the disruptive part.

Replace the EAP Cert only when your EAP clients (supplicants) are ready/prepared. Why? Because As soon as you replace the ISE EAP cert, it could affect the EAP clients that use ISE. If the clients are configured to trust ISE then your clients MUST have the NEW CA2 cert in their own trust store. So make sure they have that pushed to them via Group Policy (Windows) or via the MDM.

When you replace an ISE EAP cert it's not service affecting. You can only have ONE EAP cert per ISE node - it will replace the old one.

 

BTW - browser certs (ssl/https) should be generated with max life span of 1 year, since Apple and other browsers will start rejecting longer-living certs from 1 Sept 2020. You can still make them 2/3 years before then. This new rule only applies to certs that are created after (or VALID FROM) 1 Sept.

EAP certs can be longer than 1 year - depends on your security people - if you want to save yourself this hassle every year then make the cert live a bit longer.

  

 

Hope that helps.

regards

Go to solution
Srinivasan Nagarajan
Level 1
Level 1
In response to Arne Bier

‎08-15-2020 09:23 PM - edited ‎08-15-2020 09:24 PM

Hi @Arne Bier

 

Thanks for the reply.

 

From the below I assume, the main part is to configure users (via GPO) to make them trust the new Inter cert (and Root certs) before changing the EAP cert, to avoid or with minimal outage.

 

And one more question, whether users should be trusting 'ALL' the certificates in the certificate hierarchy or trusting only the Root cert (still valid) would suffice..?

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Srinivasan Nagarajan

‎08-15-2020 09:54 PM

Hello again

 

What I meant by the GPO part (in the case of Windows domain joined machines) is that you can easily push the new intermediate CA cert to all domain joined computers ahead of time (step 1). As far as configuring the supplicant via GPO is concerned, I don't know if that is necessary/applicable because in my experience I haven't seen that Windows allows you to select every CA cert during supplicant configuration - it's usually only the Root CA cert. Make sure that the Windows Supplicants  have a tick against the Root CA cert. I might be wrong but Windows has always only cared about the Root CA cert - Have a look in your current supplicants: do you current have check boxes against the current Root/Intermediate/Issuing CA's (i.e. all three are visible in the supplicant?) 

 

Customers Also Viewed These Support Documents