Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1733
Views
10
Helpful
4
Replies

How to renew a self signed certificate used for PEAP authentication

Go to solution
engineer467
Level 1
Level 1

‎04-02-2022 03:40 AM - edited ‎04-02-2022 04:37 AM

Hello,

We are using a self signed certificate for admin, PEAP (EAP-MSCHAPv2) authentication.

I know its not recommended, will have to plan and start using a CA signed cert.

But for now, need to renew it as it will expire soon.

I know how to extend the time on it in system certificates, will it fix the issue? what about certificate in end user machines?

Please help as I am new to ISE.

Thanks a lot.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎04-03-2022 01:58 PM

Hello @engineer467 

 

You say "self-signed" certificate. By that I assume you mean that you are using the ISE EAP System certificate that was created in ISE when it was installed. To renew those is very easy.

Click on the Self-Signed Certificate and select Edit

Scroll down to the bottom of the screen and tick the box "Renewal Period" and then enter a value in days. Click Save. Done.

It will renew the ISE Self-Signed cert and update the Valid From and Valid To dates. The serial number should not change, but the fingerprint should be updated.

As for your end clients, they will see a new ISE EAP certificate and they will have to trust it all over again - either by manually accepting the new cert, or by you pushing that new ISE cert as a "Trusted Root" to all clients (via Group Policy or MDM etc.)

View solution in original post

4 Replies 4

Go to solution
Flavio Miranda
VIP
VIP

‎04-03-2022 07:47 AM

Renew certificates follows the same process. You need to create a new CSR, send it to who can sign it for you and re-install the signed certificate.

  You need to send this to your clients devices via some kind of MDM or via GPO.

 

But, I am confuse about some information you said. You first refers to admin certificate and then you ask for clients certificates. You mentioned PEAP which is Protectec EAP but it is not TLS or DTLS. Make sure you have all the information in order to proceed.

 

 

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎04-03-2022 01:58 PM

Hello @engineer467 

 

You say "self-signed" certificate. By that I assume you mean that you are using the ISE EAP System certificate that was created in ISE when it was installed. To renew those is very easy.

Click on the Self-Signed Certificate and select Edit

Scroll down to the bottom of the screen and tick the box "Renewal Period" and then enter a value in days. Click Save. Done.

It will renew the ISE Self-Signed cert and update the Valid From and Valid To dates. The serial number should not change, but the fingerprint should be updated.

As for your end clients, they will see a new ISE EAP certificate and they will have to trust it all over again - either by manually accepting the new cert, or by you pushing that new ISE cert as a "Trusted Root" to all clients (via Group Policy or MDM etc.)

Go to solution
engineer467
Level 1
Level 1
In response to Arne Bier

‎04-03-2022 08:13 PM

Hello Arne,

 

Thank you for the reply.

I will follow the steps and update here asap.

 

 

0 Helpful

Go to solution
engineer467
Level 1
Level 1

‎04-06-2022 11:52 PM

Hello Arne,

 

All worked smoothly after following your steps.

Thanks a lot again.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents