04-02-2022 03:40 AM - edited 04-02-2022 04:37 AM
Hello,
We are using a self signed certificate for admin, PEAP (EAP-MSCHAPv2) authentication.
I know its not recommended, will have to plan and start using a CA signed cert.
But for now, need to renew it as it will expire soon.
I know how to extend the time on it in system certificates, will it fix the issue? what about certificate in end user machines?
Please help as I am new to ISE.
Thanks a lot.
Solved! Go to Solution.
04-03-2022 01:58 PM
Hello @engineer467
You say "self-signed" certificate. By that I assume you mean that you are using the ISE EAP System certificate that was created in ISE when it was installed. To renew those is very easy.
Click on the Self-Signed Certificate and select Edit
Scroll down to the bottom of the screen and tick the box "Renewal Period" and then enter a value in days. Click Save. Done.
It will renew the ISE Self-Signed cert and update the Valid From and Valid To dates. The serial number should not change, but the fingerprint should be updated.
As for your end clients, they will see a new ISE EAP certificate and they will have to trust it all over again - either by manually accepting the new cert, or by you pushing that new ISE cert as a "Trusted Root" to all clients (via Group Policy or MDM etc.)
04-03-2022 07:47 AM
Renew certificates follows the same process. You need to create a new CSR, send it to who can sign it for you and re-install the signed certificate.
You need to send this to your clients devices via some kind of MDM or via GPO.
But, I am confuse about some information you said. You first refers to admin certificate and then you ask for clients certificates. You mentioned PEAP which is Protectec EAP but it is not TLS or DTLS. Make sure you have all the information in order to proceed.
04-03-2022 01:58 PM
Hello @engineer467
You say "self-signed" certificate. By that I assume you mean that you are using the ISE EAP System certificate that was created in ISE when it was installed. To renew those is very easy.
Click on the Self-Signed Certificate and select Edit
Scroll down to the bottom of the screen and tick the box "Renewal Period" and then enter a value in days. Click Save. Done.
It will renew the ISE Self-Signed cert and update the Valid From and Valid To dates. The serial number should not change, but the fingerprint should be updated.
As for your end clients, they will see a new ISE EAP certificate and they will have to trust it all over again - either by manually accepting the new cert, or by you pushing that new ISE cert as a "Trusted Root" to all clients (via Group Policy or MDM etc.)
04-03-2022 08:13 PM
Hello Arne,
Thank you for the reply.
I will follow the steps and update here asap.
04-06-2022 11:52 PM
Hello Arne,
All worked smoothly after following your steps.
Thanks a lot again.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: