Solved: Re: ISE - CA Certificates about to expire

rg235 · ‎02-22-2022

Hi all, I've inherited a working installation of ISE and I'm still wrapping my head around it.
I ran into this screen (screenshot attached) which seems quite alarming as it says that CA Certificates will expire in less than 2 weeks. The related CAs are disabled; however self-signed System Certificates (SAML, Admin and EAP Authentication -- guest portal is a bought certificate) are expiring in some years. How do I check if they've been signed with the affected CAs?

Am I safe to suppose that users will still be able to connect in two weeks time? Can I renew these certificates? What are my options?

thank you

Mike.Cifelli · ‎02-22-2022

however self-signed System Certificates (SAML, Admin and EAP Authentication -- guest portal is a bought certificate) are expiring in some years. How do I check if they've been signed with the affected CAs?

-Navigate to Administration->System->Certificates->Certificate Management->System Certificates; here you can see what certs are in use and what their respective CA chains are.
Am I safe to suppose that users will still be able to connect in two weeks time?

-More than likely yes, but double check the system certs in use and make sure the EAP Authentication system cert is not expiring.

Can I renew these certificates? What are my options?

-This will help: How To Implement Digital Certificates in ISE - Cisco Community

HTH!

View solution in original post

Mike.Cifelli · ‎02-22-2022

however self-signed System Certificates (SAML, Admin and EAP Authentication -- guest portal is a bought certificate) are expiring in some years. How do I check if they've been signed with the affected CAs?

-Navigate to Administration->System->Certificates->Certificate Management->System Certificates; here you can see what certs are in use and what their respective CA chains are.
Am I safe to suppose that users will still be able to connect in two weeks time?

-More than likely yes, but double check the system certs in use and make sure the EAP Authentication system cert is not expiring.

Can I renew these certificates? What are my options?

-This will help: How To Implement Digital Certificates in ISE - Cisco Community

HTH!

RezSalahuddin68319 · ‎02-23-2022

Great documentation. Thank you so much for sharing!!

-R

rg235 · ‎02-24-2022

Thank you Mike, that helped a lot! System certs are not expiring anytime soon.

thomas · ‎02-22-2022

You may want to register for the upcoming ISE Digital Certificate Administration webinar :

https://cs.co/ise-webinars

Arne Bier · ‎02-22-2022

I think that should be a well-attended seminar.

@thomas

What are the chances that the ISE Web Portal Certs could be enabled to use Letsencrypt ? It would be very handy feature at least for Guest Portals or perhaps even the ISE Admin cert.

tjezer · ‎02-23-2022

Hi @Arne Bier ,

I think it's possible with the manual procedure: https://eff-certbot.readthedocs.io/en/stable/using.html#manual

In general, I'm not sure if it's a good idea implementing third-part plugins in the Hardening OS's like ISE. But it's only my personal point of view...

thomas · ‎02-23-2022

You may deploy certificates from any CA that you like.

Hosuk demonstrated the worlds fastest multi-node ISE deployment using a wildcard certificate from LetsEncrypt in our December ISE Webinar. 8-)

Automated ISE Setup with Infrastructure as Code Tools

37:08 Demo: Wildcard Certificate Request with Let's Encrypt

Demo Code: https://github.com/hosukw/Full_ISE_Terraform_Ansible_AWS

I think what you really are asking for is ACME protocol support directly in ISE and that is not there yet.

But the new ISE 3.1 Certificate APIs are the next best thing!

Arne Bier · ‎02-23-2022

oh boy how did I miss that webinar!!!?? It's amazing. Thanks. I will see if I can give that a try. We're not deploying any 3.1 yet or anywhere near AWS .. yet. But I am mostly interested in the certs techniques for now.

rg235 · ‎02-24-2022

Registered! Thank you!