Solved: Re: ISE 3.0 Upgrade + Regenerate the Root CA Chain

michael.evdokimov · ‎09-15-2021

Hi all,

I have noticed in the ISE 3.0 Post Upgrade notes that it mentions that the Root CA chain must be regenerated.

Cisco ISE 3.0 Upgrade Guide: Post-Upgrade Tasks - Cisco

My question is two fold:

Will this impact endpoints that have already auto enrolled for certificates via the ISE internal CA?
Do I have to push the new certificate chain to endpoints that have already enrolled to ISE internal CA?

I am wary of the impact this may cause,, as the customer this upgrade is for has tens of thousands of endpoints with ISE supplied certificates

Cheers,

Michael

Greg Gibbs · ‎09-16-2021

When you re-generate the Internal CA Root Chain, ISE does not delete the old one automatically. As long as ISE retains the old Root Chain, it will trust certificates presented by the endpoints with identity certificates signed by that chain.

View solution in original post

ahollifield · ‎09-15-2022

No

View solution in original post

Greg Gibbs · ‎09-16-2021

When you re-generate the Internal CA Root Chain, ISE does not delete the old one automatically. As long as ISE retains the old Root Chain, it will trust certificates presented by the endpoints with identity certificates signed by that chain.

jherrera2 · ‎08-15-2022

After upgrading from 2.7 to 3.1. I'm now receiving the Queue Link Error. Cisco advised to replace the Internal Root CA. I wonder if that's our case. We have 2 nodes and they in sync. ISE messaging is up and running and under Internal CA settings, the internal CA authority is up for both nodes. Will this affect the certificate installed in the workstations? Our used signed by the local CA of the company.

Thanks, JC

sergioparl · ‎09-14-2022

Question, does regenerating the ISE Root CA require or cause a reboot of the ISE appliance?

ahollifield · ‎09-15-2022

No

sergioparl · ‎09-15-2022

Awesome. Thank you