07-27-2020 09:21 AM - edited 07-27-2020 09:27 AM
Hi Experts,
We've 2 small node deployment with the same certificate used for Admin and EAP authentication where one of the Intermediate cert in the certificate hierarchy is about to expire.
Root CA
----> Intermediate CA 1
-----> Intermediate CA 2 (About to expire)
----> Admin and EAP authentication cert
1.Importing the Intermediate CA2 in the ISE 'Trusted store' and rolling out to the users via GPO would it suffice...?
2.will it cause any service disruption or restart of the services...?
Can you please suggest the best practices if any..
Solved! Go to Solution.
07-29-2020 07:42 AM
You can add additional Root/Intermediate CA certificates to the trusted store in ISE and that will not affect ISE at all. If you are correct that the new certificate would have a different expiration date, then it is a totally different Intermediate CA certificate and will add just fine. No services will be restarted.
07-28-2020 01:55 PM
Double check your certificate and certificate chain. Your identity certificate should not have an expiration date that is later than your issuing CA certificate. Verify the serial numbers to ensure you are looking at the correct CA certificates.
Just adding a certificate to the trusted store will not cause a restart of services. But if you have to update your identity certificate used for admin, then that would restart the services.
07-29-2020 06:54 AM - edited 07-29-2020 06:55 AM
Hi Colby,
Thanks for the reply. Our renewal concern is only about the Inter.CA certs not the identity/server cert
We've already an Intermediate certificate which is about to expire (in less than 60days) and what are the procedures to be followed to renew the Intermediate certificate from the same CA without deleting the existing Inter.CA...
If we add the new Inter.CA in the trusted store from the same CA, will it accept when there is already an existing Inter.CA exists on the ISE...
07-29-2020 07:42 AM
You can add additional Root/Intermediate CA certificates to the trusted store in ISE and that will not affect ISE at all. If you are correct that the new certificate would have a different expiration date, then it is a totally different Intermediate CA certificate and will add just fine. No services will be restarted.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide