Solved: Re: [ISE 2.3.7] How to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates. - Page 2

Jihye Han · ‎11-06-2019

Hi Expert,

I'd like to know how to renew the 'VeriSign Class 2 Secure Server CA - G3 in Trusted Certificates.

My customer is using the ISE V2.3.7 and they said the above certificate will be expired on Feb 08, 2020 so they want to renew it before it expires.

Does anyone know what this certificate is for? From my checking, I couldn't find any related guide for that.

Thank in advance.

Jihye.

#Trusted Certificates

Arne Bier · ‎01-27-2020

@Kn1ghtR1d3rOfD00m - the question you need to answer is whether any of your ISE 2.0 nodes use Internet based services. If the answer is a categorical NO, then you're ok - delete the cert.

The problem is that Cisco cannot tell us what this cert is used for in ISE (not to my knowledge - correct me if I am wrong)

Examples of ISE 2.4/2.6 Internet based services are:

Profiler Feed Update (ise.cisco.com)
Posture Updates (https://www.cisco.com/web/secure/spa/posture-update.xml)
Cisco Call Home (and indirectly Smart Licensing) (tools.cisco.com)
Client Provisioning Updates (https://www.cisco.com/web/secure/spa/provisioning-update.xml)

There have been some URL changes since ISE 2.0

Only way to be sure is to open a TAC case - or reverse engineer the box with tcpdump and analyse the TLS negotiation to see what certs are presented by the foreign servers. Very time consuming ...

derobbacher · ‎02-10-2020

Hello,

I opened a TAC case and was advised to download and install two new certificates instead.

These ones are called HydrantID and QuoVadis Root CA 2.

They serve to connect to Cisco.com via SSL in order to obtain binary and data updates for Posture and BYOD.

I estimate that the obsolete Verisign cert was used for this in the past.

You can download them from:

https://software.cisco.com/download/home/283801620/type/283802505/release/cisco.com-certs

And here is the Field Notice describing the purpose of these certificates and how they should be installed.

https://www.cisco.com/c/en/us/support/docs/field-notices/701/fn70122.html

Greetings

Wini

decubed · ‎02-13-2020

I started getting log messages "Smart Licensing Authorization Renewal Failure" on the same day the cert expired. I don't believe in coincidences.

Arne Bier · ‎02-13-2020

@decubed

My Smart Licensing is still working despite me having deleted the expired Verisign cert. That story about the QuoVadis/Hydrant CA cert is quite old and it was all over the news back then. Perhaps people didn't act on the field notice then, but most systems that have this installed will be ok. Have a look if that fixes your issue.

innovative_elephant · ‎04-29-2020

With ISE 2.4, we got an error message when trying to delete this cert (VeriSign Class 2 Secure Server CA - G3).

Temporarily disabling all logging (Admin - System - Remote Logging Targets) allowed us to delete the cert even though none of our logging setup appeared to reference that cert.

Our issue and error message appears very similar to: https://quickview.cloudapps.cisco.com/quickview/bug/CSCvk76680

Kn1ghtR1d3rOfD00m · ‎04-30-2020

thank you, I havent deleted from the system yet, but I guess I need to upgrade ISE, I will have to,

I remember I talked to TAC team and they stated that its just pretty much what it has been discussing in the previous post,

I dont get that message still but the difference is that I dont have 2.3.7, as Im running 2.0.206