Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
675
Views
0
Helpful
3
Replies

ISE Certificate replacement issues

PacketSpartan
Level 1
Level 1

‎01-30-2023 06:03 AM

We have a Distributed deployment with 1 PAN, 1 SAN, 3 Nodes. We've replaced the System certificate on one of the Node, we've also uploaded the new intermediate CA cert in the Trusted certificates section.  When we go to change the second (second in the list)  certificate' option for "Trusted for Infrastructure, Cisco services, endpoints and admin auth" we get the below message 

TTboy1988_2-1675086943433.png

TTboy1988_0-1675086656531.png

The reason for the second trusted certificate is due to having a new intermediate CA server (as the first one is expiring). 

The PAN SAN and the other 2 nodes (out of 3) certificates are signed by the current CA (first in the list). These are all due to renewal as well. 

Does this mean to make the second Trusted certificate work, i need update the system certificates for all the remaining devices (PAN,SAN, 2 nodes signed by the new CA (second on the list) then remove the trusted for options on the first trusted cert for all of it to work?

 

Apologies this is a long-winded post, but i am hoping someone else has had a similar issue/conundrum when it came to replacing the cert. 

 

 

CCNA R&S
0 Helpful
3 Replies 3

poongarg
Cisco Employee
Cisco Employee

‎01-31-2023 12:30 AM

Hi,

There is check in code that will not allow update to a Admin Cert with Cert Based Authentication, if there is another Trust Cert with Admin Role and also enabled for Cert based Authentication. As said in the alert message need to disable cert based authentication of the other cert and update this trust cert.

This is expected behaviour and not an error.

0 Helpful

PacketSpartan
Level 1
Level 1
In response to poongarg

‎01-31-2023 05:50 AM

Hi Poongarg

On the second CA  certificate we've enabled the  "Infrastructure and Endpoints" however the node we'd replaced the system certificate on is still not handling Radius requests. 

From ISE manuals, it wont work until we move the admin role to the second CA certificate to allow connectivity between the node and the PAN?

CCNA R&S
0 Helpful

hslai
Cisco Employee
Cisco Employee

‎02-03-2023 09:39 PM

@PacketSpartan 

No, the admin and the EAP server certificates need not be the same one.

> ... however the node we'd replaced the system certificate on is still not handling Radius requests.

If the new system certificate is configured as the EAP server certificate of the ISE node and if the EAP-based authentications are not working against this ISE node, take a packet capture (e.g. tcpdump) and verify if this ISE node is sending the full certificate chain properly. Please engage Cisco TAC, as needed.

 

0 Helpful
Customers Also Viewed These Support Documents