Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1921
Views
0
Helpful
1
Replies

ISE Certificate Renewal

abhijith891
Level 1
Level 1

‎04-06-2020 01:36 PM - edited ‎04-06-2020 01:36 PM

Hi All,

 

  • We are using Digicert certificates for ISE 1.4 which is expiring in a month. All our guest portals, sponsor portals and all ISE URLs, AD etc are currently on the domain company1.com. BUT the problem is we don’t own this domain anymore but we still have its Digicert certificates installed on our ISE.
  • Initially, we considered renewing the certificates with our internal CA but then realised that our ISE  is having number of captive portals for providing WiFi guest access, Sponsor and for approval workflow,  and if a guest/BYOD laptop tries to join our network, then it will not trust our internal signed certificate
  •  So now my question is: what are the possible options we have to renew our certificates? We do have a certificate for our new company domain company2.com.
  • We did consider changing the fqdn of ISE to company2.com and registering it with the new domain certificate, but the problem is AD will need to remain on domain company1.com as it has a lot of dependencies. So is it possible to integrate AD with ISE inspite of being on different domains? Mind you, this is ISE 1.4 .
  • We also considered going for a SAN certificate but then realised that since we dont own the domain company1.com, we may not be able to generate it.

Any suggestions/help on this will be genuinely appreciated.

 

Regards.

0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎04-14-2020 11:01 PM

Hi @abhijith891 

 

You'll have to ditch the certs for company1.com domain once they expire - if you do not own that domain then it's no longer up for discussion.

Moving forward, you can still run your ISE nodes with FQDNs that have company1.com, and use some DNS CNAME entries to allow DNS resolution of company2.com - this means your ISE 1.4 nodes are still called ise1.company1.com and ise2.company1.com etc - but as far as DNS is concerned, your ise nodes can have a canonical name of ise1.company2.com which points to the A Record of ise1.company1.com - this means you don't need to reconfigure your ISE nodes at the CLI level.

 

All other logic in ISE such as URL redirection should then specify the new company2.com domains which clients will use to resolve the ISE Guest portals.

 

AD integration has nothing much to do with x.509 certificates. This means you can keep your legacy AD join points to company1.com for the purposes of AD integration.

 

I am going on what I know for ISE 2.x -  I don't think ISE 1.4 is that much different but I will caveat here that these things are fundamentally doable.

 

Hope that helps

Arne 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents