Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ISE Certificate Renewal

Hi All,


  • We are using Digicert certificates for ISE 1.4 which is expiring in a month. All our guest portals, sponsor portals and all ISE URLs, AD etc are currently on the domain BUT the problem is we don’t own this domain anymore but we still have its Digicert certificates installed on our ISE.
  • Initially, we considered renewing the certificates with our internal CA but then realised that our ISE  is having number of captive portals for providing WiFi guest access, Sponsor and for approval workflow,  and if a guest/BYOD laptop tries to join our network, then it will not trust our internal signed certificate
  •  So now my question is: what are the possible options we have to renew our certificates? We do have a certificate for our new company domain
  • We did consider changing the fqdn of ISE to and registering it with the new domain certificate, but the problem is AD will need to remain on domain as it has a lot of dependencies. So is it possible to integrate AD with ISE inspite of being on different domains? Mind you, this is ISE 1.4 .
  • We also considered going for a SAN certificate but then realised that since we dont own the domain, we may not be able to generate it.

Any suggestions/help on this will be genuinely appreciated.



VIP Advocate

Re: ISE Certificate Renewal

Hi @abhijith891 


You'll have to ditch the certs for domain once they expire - if you do not own that domain then it's no longer up for discussion.

Moving forward, you can still run your ISE nodes with FQDNs that have, and use some DNS CNAME entries to allow DNS resolution of - this means your ISE 1.4 nodes are still called and etc - but as far as DNS is concerned, your ise nodes can have a canonical name of which points to the A Record of - this means you don't need to reconfigure your ISE nodes at the CLI level.


All other logic in ISE such as URL redirection should then specify the new domains which clients will use to resolve the ISE Guest portals.


AD integration has nothing much to do with x.509 certificates. This means you can keep your legacy AD join points to for the purposes of AD integration.


I am going on what I know for ISE 2.x -  I don't think ISE 1.4 is that much different but I will caveat here that these things are fundamentally doable.


Hope that helps