ISE 2.7 has expiring self-signed stand alone pxgrid certificate.

NatalieNDeGennaro72244 · ‎03-15-2024

I have an ISE 2.7 cluster with 4 nodes. 2 each of PSN and PAN. each of the 4 nodes has a stand-alone self-signed pxgrid certificate on it that expires on 3/20/2024. We do not use pxgrid on that cluster, nor is the cluster configured for anything pxgrid. How do I remove that certificate before it expires? I have tried to renew the certificate but I get an error that says " Certificate for pxGrid must contain both client and server authentication in the Extended Key Usage (EKU) extension" and the cert will not renew. I do not know what it is talking about. We use Microsoft AD for our identity source, I have no access to the MS side of things. Will the pxgrid cert expiring affect any other part of ISE if I just let it expire? Not sure whether to panic or put in a TAC case. Any help would be appreciated. Thank you!

Rob Ingram · ‎03-15-2024

@NatalieNDeGennaro72244 if you are not using PxGrid it doesn't matter too much as it's not configured and in use.

If you wish you can create a self-signed certificate on ISE for the pxGrid services, navigate to Administration > pxGrid Services > Certificates this will create a certificate with the correct EKU extensions.

Also FYI ISE 2.7 is near end of support, you should consider upgrading - https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2943876.html

NatalieNDeGennaro72244 · ‎03-18-2024

Thank you Rob. I have 2 ISE environments with this pxgrid self-signed cert. one, I can let slide as I am going to be upgrading it to 3.2 soon. the other environment is already running 3.2 and I have a self-signed pxgrid cert there it is a payment card industry (PCI) environment and due to federal agency rules I can't have any self signed certs there. Pxgrid is not configured in PCI environment and was mistakenly put there when someone else upgraded that environment. I would like to remove that pxgrid cert out of the PCI environment all together but do not know how to do that. I was going to open a TAC case and ask if the TAC engineer can remove that cert. Unless someone on this board can tell me how to do that please?

Rob Ingram · ‎03-18-2024

@NatalieNDeGennaro72244

Delete a Certificate

In case a certificate in the ISE is expired or unused, it needs to be removed. Ensure to have the certificates exported (with their private keys, if applicable) prior to deletion.

In order to delete an expired certificate, navigate to Administration > System > Certificates > Certificate Management. Click on the System Certificates Store. Choose the expired certificate(s) and click Delete.
Refer to the same for Trusted Certificates and Certificate Authority Certificates stores.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215621-tls-ssl-certificates-in-ise.html

NatalieNDeGennaro72244 · ‎03-19-2024

Rob, I cannot delete this pxgrid cert. It comes back with an error "The PxGrid certiicate cannot be deleted. Assign PxGrid role to another certificate and try again." I have made it a stand alone and renewed all other certs. I will create a TAC case and maybe the TAC engineer can go in and remove this cert. Thank you anyway.

Rob Ingram · ‎03-19-2024

@NatalieNDeGennaro72244 just assign the pxgrid role to another certificate, you can do that by clicking on one of the other valid certificates, and then under usage tick the box for pxgrid, then click save. The old certificate that was used by pxgrid will then be unused and can be deleted.

NatalieNDeGennaro72244 · ‎03-19-2024

ok. that will take care of the expiring pxgrid cert, but I would like to get rid of that cert all together, not just move it around. That is why at this point I was thinking to create the TAC case.

Rob Ingram · ‎03-19-2024

@NatalieNDeGennaro72244 you can get rid of that expiring pxgrid certifcate (as per above), you just need to assign another certifcate to the pxgrid role - then the old pxgrid certificate can be deleted. You just need to select another certificate, the same certificate can be used for multi different ISE roles.

NatalieNDeGennaro72244 · ‎03-19-2024

Rob, I guess I am not explaining myself correctly. I want pxgrid cert completely OUT of my environment. we are not configured for pxgrid and my boss has to continually explain to CIO about that cert and why it shows up on her radar (reports). I have 2 different environments that I want to completely remove pxgrid cert from. this first environment is the test, the other environment is PCI (payment card industry) and is a closed environment with lots of upper level visibility and I don't want to have to write the exception letter for pxgrid in the PCI agency paperwork and explain that it was created by mistake by another person in my group.

Rob Ingram · ‎03-19-2024

@NatalieNDeGennaro72244 all of the ISE roles must have a certificate assigned whether you are using that functionality or not, that includes RADIUS DTLS, pxGrid, Portal, EAP, Admin etc). Use another certificate such as Admin or EAP for the pxGrid role, so they share the same certificate. Therefore there is no specific pxGrid certificate.

NatalieNDeGennaro72244 · ‎03-19-2024

That wasn't true before, when I installed 2.7 in fact it was in the admin guide at the time - to only install the certs you needed and that you didn't have to install them all. more overhead that way. and now with 3.2 they want all certs to be stand alones and I can see that point but I don't see why you would add certs you don't need or use, as they would still need to be maintained. Thank you.

NatalieNDeGennaro72244 · ‎03-19-2024

btw - when pxgrid was part of the radius dtls cert, I was not able to delete that one either.