Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
27097
Views
13
Helpful
7
Replies

How to renew a certificate in ISE

Go to solution
danilopasiani1
Level 1
Level 1

‎04-07-2021 01:22 PM

Hi,

I need help, because we had a supplier that supported ISE, but because of the pandemic, the company ended the contract. So we verified that the CA certificate that validates the corporate wifi has expired and we need to renew it, so I would like to check how I could renew the certificate with the CA server or do I need to create a new certificate?

Preview file
52 KB
Preview file
45 KB
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎04-07-2021 04:38 PM - edited ‎04-07-2021 04:38 PM

It looks like both the identity and root certificates have expired. If that's the case, you'll need to import an updated Root certificate chain (including any intermediate CA certs), generate a CSR, have it signed by the CA, and bind it to the CSR in ISE.

See How To Implement Digital Certificates in ISE for more information.

View solution in original post

7 Replies 7

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎04-07-2021 04:38 PM - edited ‎04-07-2021 04:38 PM

It looks like both the identity and root certificates have expired. If that's the case, you'll need to import an updated Root certificate chain (including any intermediate CA certs), generate a CSR, have it signed by the CA, and bind it to the CSR in ISE.

See How To Implement Digital Certificates in ISE for more information.

Go to solution
Nadia Bbz
Level 1
Level 1

‎04-08-2021 01:31 AM

Hi ,

to renew system certificate , Administration -> Certificates -> system certificate -> edit the expired certificate -> drop down

in renew self signed certificate -> check renewal period  and in Expiration TTL you put the number of year of month  as picture below

 

renew certificate.png

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Nadia Bbz

‎04-08-2021 04:07 PM

This renewal option only works for self-signed certificates. While self-signed certificates may be practical for the Admin or pxGrid functions on small clusters, they are not practical for EAP.

When using private or public signed CA certificates (as per best practice), the entire chain needs to be renewed as described earlier.

Go to solution
Nadia Bbz
Level 1
Level 1
In response to Greg Gibbs

‎04-11-2021 07:31 AM

thank your for information

0 Helpful

Go to solution
danilopasiani1
Level 1
Level 1

‎05-12-2021 10:52 AM

Thank you Greg Gibbs. His recommendation helped me.
The certificate is now working.

0 Helpful

Go to solution
anousakisioannis
Level 1
Level 1

‎11-08-2021 02:35 AM

Hi all, 

 

I am having a similar issue with expired Certificate and the users can't login with their credentials. When they try to connect, they get a generic error "Can't connect to this network". I checked the windows events (attached windows_events_error.PNG) and I got a more specific error : "eap root cause string: windows cannot connect to this network. There is a problem with the certificate on the server required for authentication"

 

I checked on ISE and indeed there is a certificate, which is signed by CA, is expired.

 

I would like to ask how can i find if this certificate is used by a policy ?

Also, can i renew somehow the expired certificate, like the self-signed, or i have to create from scratch a new CSR and send it to CA?

Finally, is it necessary to have a signed certificate from a CA or can i have the same functionality with a self-signed certificate ?

 

Thanks

 

Preview file
173 KB
0 Helpful

Go to solution
anousakisioannis
Level 1
Level 1

‎11-11-2021 01:04 AM

@Greg Gibbs any advice on this ?

0 Helpful
Customers Also Viewed These Support Documents