Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13081
Views
27
Helpful
7
Replies

ISE 2.7 Renewal of ise messaging service certificate

Go to solution
mmisonne
Level 2
Level 2

‎07-10-2020 04:28 AM

Hello

I use ISE version 2.7.

I need to renew an ISE Messaging  service certificate because it is expired

How can I do it ?

If I use "generate self signed certificate", I do not have the option to generate a certificate for ise messaging service.

 

Michel

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-11-2020 10:31 AM

Choose Administration > System > Certificates > Certificate Management > Certificate Signing Request. Choose the usage ISE Messaging Service.

Screen Shot 2020-07-11 at 10.29.40 AM.png

 

 

 

 

 

View solution in original post

7 Replies 7

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-11-2020 10:31 AM

Choose Administration > System > Certificates > Certificate Management > Certificate Signing Request. Choose the usage ISE Messaging Service.

Screen Shot 2020-07-11 at 10.29.40 AM.png

 

 

 

 

 

Go to solution
mmisonne
Level 2
Level 2
In response to hslai

‎07-11-2020 10:44 PM

So, it is not possible to do it with the "generate self signed certificate" option  like we can do it for  Admin/EAP/Portal. certificates. We need to do it with a PKI.

 

I notice also that , it the option "Use "ISE Messaging Service" for UDP Syslogs delivery to MnT " is activated, we need to generate Certificate for ISE messaging from a PKI. If we leave the default "ISE messaging certificate" self generated, the Syslog messages will not be accepted by  the MNT and the log will be empty.  

 

0 Helpful

Go to solution
fitzie
Level 1
Level 1
In response to hslai

‎09-15-2022 09:19 AM

This methodology does not work for me.  There simply is no option to select an ISE Messaging Service type of certificate.

fitzie_0-1663258744673.png

 

I am using an external CA, therefore the internal CA is disabled.

I am running ISE v3.1p3

I am running in FIPS mode.

0 Helpful

Go to solution
M.Jallad
Level 1
Level 1

‎09-10-2020 07:12 AM

Hi Michel,

 

Did you have a solution for this by any chance ? 

 

I think we ran into the same issue ; and we had to disable the default option and use udp 20514 to be get live logs running on the MNT.

 

Regards,

Muayad,

0 Helpful

Go to solution
mmisonne
Level 2
Level 2
In response to M.Jallad

‎09-10-2020 08:45 AM

Hi Muayad

 

The solution I found , at that time, was to do an …."application reset config"

It will loose everything  except first setup, IP-addr..) and it will recreate all self-signed certificate.  

 

 

Michel

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to M.Jallad

‎09-10-2020 09:14 AM

The method @hslai provided from the CSR page is the correct way to renew the messaging service certificate. This is not a CSR in the traditional sense where you get a CSR file to fill elsewhere. When you select the "ise messaging service" option from the list, it will generate a new deployment signed certificate for each node and install it. This is a one stop shop action to replace the expired messaging certificate. 

Go to solution
Alex Martin
Level 1
Level 1

‎08-22-2023 12:27 PM

If anyone is still facing this issue in 2023 and they are using a third party PKI, the key here to be allowed to re-generate this certificate is that the Local CA in ISE must be enabled first.

Navigate to Administration > System > Certificates > Internal CA Settings and Select Enable Certificate Authority

AlexMartin_3-1692732193526.png

Then go to Administration > System > Certificates > Certificate Signing Requests and in the dropdown select ISE Messaging Service and Click Generate ISE Messaging Service Certificate.

AlexMartin_1-1692731950697.png

When the new certificate is generated you can check for it in the Administration > System > Certificates > System Certificates and then delete the previous one and then return back to Administration > System > Certificates > Internal CA Settings and Select Disable Certificate Authority.

AlexMartin_4-1692732349340.png

Cheers,

Alex

 

Customers Also Viewed These Support Documents