cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

135
Views
0
Helpful
1
Replies
Highlighted
Beginner

ISE Certificate Renewal

Hi All,

 

  • We are using Digicert certificates for ISE 1.4 which is expiring in a month. All our guest portals, sponsor portals and all ISE URLs, AD etc are currently on the domain company1.com. BUT the problem is we don’t own this domain anymore but we still have its Digicert certificates installed on our ISE.
  • Initially, we considered renewing the certificates with our internal CA but then realised that our ISE  is having number of captive portals for providing WiFi guest access, Sponsor and for approval workflow,  and if a guest/BYOD laptop tries to join our network, then it will not trust our internal signed certificate
  •  So now my question is: what are the possible options we have to renew our certificates? We do have a certificate for our new company domain company2.com.
  • We did consider changing the fqdn of ISE to company2.com and registering it with the new domain certificate, but the problem is AD will need to remain on domain company1.com as it has a lot of dependencies. So is it possible to integrate AD with ISE inspite of being on different domains? Mind you, this is ISE 1.4 .
  • We also considered going for a SAN certificate but then realised that since we dont own the domain company1.com, we may not be able to generate it.

Any suggestions/help on this will be genuinely appreciated.

 

Regards.

1 REPLY 1
Highlighted
VIP Advocate

Re: ISE Certificate Renewal

Hi @abhijith891 

 

You'll have to ditch the certs for company1.com domain once they expire - if you do not own that domain then it's no longer up for discussion.

Moving forward, you can still run your ISE nodes with FQDNs that have company1.com, and use some DNS CNAME entries to allow DNS resolution of company2.com - this means your ISE 1.4 nodes are still called ise1.company1.com and ise2.company1.com etc - but as far as DNS is concerned, your ise nodes can have a canonical name of ise1.company2.com which points to the A Record of ise1.company1.com - this means you don't need to reconfigure your ISE nodes at the CLI level.

 

All other logic in ISE such as URL redirection should then specify the new company2.com domains which clients will use to resolve the ISE Guest portals.

 

AD integration has nothing much to do with x.509 certificates. This means you can keep your legacy AD join points to company1.com for the purposes of AD integration.

 

I am going on what I know for ISE 2.x -  I don't think ISE 1.4 is that much different but I will caveat here that these things are fundamentally doable.

 

Hope that helps

Arne