Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7020
Views
0
Helpful
3
Replies

How to renew EAP certificate

Go to solution
Bobby123
Level 1
Level 1

‎01-13-2020 05:09 AM

Hi,

 

Not sure if this has been covered or not, but whats the best way to renew a certificate on ISE, it is used for EAP.

 

Cheers,

Bobby

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-13-2020 07:11 AM

While not a renewal per say, the easiest way is to generate a new CSR on the admin node of the deployment selecting either multi use or eap for its usage.

You accomplish this two ways depending on what you need.
1. If you only need a self signed eap cert, then you can generate a new one by clocking the "generate self signed certificate" button in the "system certificates" page.

2. If you require a CA signed eap cert (probably more common), then you can do that by navigating to this page, and clicking the "generate certificate signing request" button and entering the information.
https://<your admin node ip or name>/admin/#administration/administration_system/administration_system_certificates/certificates_cert_mgmt/certificates_cert_mgmt_cert_signing_requests

Here is a visual guide
https://networkproguide.com/cisco-ise-24-certificate-install/

Here is the Cisco admin guide steps
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0111.html#ID961


Now keep in mind a very important thing. If you are creating a new CSR, be very careful before using a new CN. Endpoints may be set up to only trust the CN found within the certificate, and auth can fail if you change it. It varies by environment, but you can use a non existent CN (ex. old node name), and the cert will be properly built so long as it also appears in the SAN field.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-13-2020 07:11 AM

While not a renewal per say, the easiest way is to generate a new CSR on the admin node of the deployment selecting either multi use or eap for its usage.

You accomplish this two ways depending on what you need.
1. If you only need a self signed eap cert, then you can generate a new one by clocking the "generate self signed certificate" button in the "system certificates" page.

2. If you require a CA signed eap cert (probably more common), then you can do that by navigating to this page, and clicking the "generate certificate signing request" button and entering the information.
https://<your admin node ip or name>/admin/#administration/administration_system/administration_system_certificates/certificates_cert_mgmt/certificates_cert_mgmt_cert_signing_requests

Here is a visual guide
https://networkproguide.com/cisco-ise-24-certificate-install/

Here is the Cisco admin guide steps
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0111.html#ID961


Now keep in mind a very important thing. If you are creating a new CSR, be very careful before using a new CN. Endpoints may be set up to only trust the CN found within the certificate, and auth can fail if you change it. It varies by environment, but you can use a non existent CN (ex. old node name), and the cert will be properly built so long as it also appears in the SAN field.
0 Helpful

Go to solution
Bobby123
Level 1
Level 1
In response to Damien Miller

‎01-14-2020 02:49 AM

Hi Damien,

 

Thank you for that explanation and links, most helpful! 

 

As for the post certificate renewal testing, we are trying to work out the best way to test one of the certificate renewals (say on the secondary ISE box), and create a test SSID which points only to that secondary ISE server for testing before we update the primary server, is this something which is workable?

 

Also with this EAP authentication certificate, we are trying to work out what the best way is to see how it is working at present, we do not have more in terms of working knowledge of this (i.e. is it just used for our Corporate Wifi or is it used for other services).

 

Hope this makes sense!

 

Cheers,

Bobby

 

 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Bobby123

‎01-16-2020 01:39 PM

Yes, WLC, for example, is able to have different sets of RADIUS servers for different WLANs (SSIDs).

As long as you are able to keep unique subjects for the certificates (e.g. different O our OU values), you may have more than one certificate associated with one ISE node, just need to move the usage around. Other than that, test, test, and test!

0 Helpful
Customers Also Viewed These Support Documents