Solved: ISE certificate chain with expiring intermediate CA

callmelasagna · ‎09-30-2020

Hello Everyone,

I have deployed in my company network a cluster of ISE 2.4.0.357 with patch information 9.

These two nodes run a group of certificates and my focus is on the two used for the https Portal and the EAP authentication.

These certificates are set to expire on March 18 2021, but I have one of the intermediate CA present in the Certificate Hierarchy that is set to expire on 29th October 2020 which is months earlier than the server certificate expiration. This CA is an internal one so is not a public CA.

As far as I know, the fact that one of the intermediate CAs expires will automatically make the server certificate not trusted.

In my company there's already a newer intermediate CA that has been issued using the same name as the one expiring on 29th October 2020, which is set to expire on 4th December 2023.

I also checked using the windows certificate store, and I can see that the newer one has a field "previous certificate hash" which the old one doesn't have, also it's CA version is reported to be "1.0" on the contrary, "0.0" is the one reported on the older CA.

When using Chrome (which uses the Windows certificates store), I can see that Windows uses the newer intermediate CA to trust the server certificate and not the old one, so in some way, Windows is able to understand that the newer intermediate CA is replacing the old one.

This does not happen with Firefox (which doesn't use the windows certificate store) which displays the old intermediate CA.

By doing a Wireshark capture I noticed that the the server presents the certificate using the expiring intermediate CA and not the new one, these made me realize that Windows is capable of understanding that even if the server certificate is presented with a specific CA, it uses the newer one to create the certificate path.

My best guess is that by importing the newer intermediate CA in the ISE will make the ISE itself aware that the portal certificate and EAP authentication certificates can be presented to clients with the newer intermediate CA rather then the expiring one in the same way as windows does.

My question is, is my best guess right? Will importing the new CA certificate to the trusted certificate store resolve my issue with the Certificate Hierarchy?

Do any of you see any reason why this might effect clients that try to authenticate to the ISE (since also the EAP authentication certificate is involved)?

Is a reboot necessary to make the ISE recreate the Certificate Hierarchy?

I know the explanation is a little tricky to understand but I did my best to not disclose any information about my company, so I needed to stay the more generic as possible

thanks to everyone who shall provide any feedback on this matter

ade5 · ‎10-03-2020

I believe your question is whether you can import the new intermediate CA on top of the old/expiring intermediate CA signed by the same Root CA. the answer is Yes.

You will need to validate that the Root CA serial that signed the new intermediate CA matches on the old intermediate CA serial number matches to all certificates you have installed.

Once the old certificate expires delete it.

I had similar issues/question before and I did just that with no issues.

View solution in original post

hslai · ‎10-02-2020

This seems odd to me that an upper entity in a certificate chain has an earlier expiration date. Perhaps, the newer intermediate CA certificate already there when the ISE server certificate was issued but somehow the older intermediate CA certificate got imported into ISE.

Yes, we need correct this in ISE trusted certificates store. I am not 100% certain if you are able to replace the old with the new. You might need temporarily move the portal and the EAP cert(s) to another, export the key and cert pair(s), delete it/them in the server certificates, delete the old intermediate CA certificate in the trusted certificates, then import the new intermediate CA cert to the trusted certificates and finally re-import the key and cert pair(s) back to the server certificates.

As to the impact the clients, it depends on the clients. As you already observed that different web browsers behaving differently, 802.1X supplicants also differ.

If the certificate not used by Admin (ISE admin portal), it usually does not need a restart of ISE services. If you do not see the newer hierarchy built, then please do restart ISE services and check.

ade5 · ‎10-03-2020

I believe your question is whether you can import the new intermediate CA on top of the old/expiring intermediate CA signed by the same Root CA. the answer is Yes.

You will need to validate that the Root CA serial that signed the new intermediate CA matches on the old intermediate CA serial number matches to all certificates you have installed.

Once the old certificate expires delete it.

I had similar issues/question before and I did just that with no issues.

callmelasagna · ‎10-09-2020

Hi ade5,

yes, we managed to gather a test ISE to test this solution and works properly, so I just uploaded the new intermediate CA to the trusted certificate store and it has replaced the old one.

Unfortunately the certificate that was signed with that intermediate certificate is attached to the admin portal, so might need to be a little bit extra careful as to when the ISE can restart the services, but apart from that I expect 0 downtime.

Thank you both for having replied to this