Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
400
Views
5
Helpful
2
Replies

ISE certificate store update after CA lifetime extension

Thomas Thiele
Level 1
Level 1

‎12-17-2018 01:54 AM

HI all,

 

after extending the sub-ca (which issued the ISE admin + eap certs) by using same private key (just extended the expire date), we are faced with updating the ISE certificate trust store..but this seems to be impossible without major impact:

  • adding the "new" sub-ca cert is not allowed in ISE 
  • removing the old sub-ca cert is also not allowed because ISE certs are issued by this ca

Our "solution":

  • delete all ISE ca certs (ouch!)
  • delete old sub-ca
  • add new-sub ca
  • get new ISE eap + admin cert 

We are looking for a better way to get this done..

 

0 Helpful
2 Replies 2

hslai
Cisco Employee
Cisco Employee

‎12-17-2018 07:12 AM

This is likely a current limitation, as recent ISE releases have an issue to deal with any certificates with the same subjects in the ISE certificate stores.

IIRC it able to replace the certificate(s) OK if using a new private key.

0 Helpful

Thomas Thiele
Level 1
Level 1
In response to hslai

‎12-17-2018 07:18 AM

OK, but this is no option at the moment. Extending CA certificate by using same private key is a standard operation afaik.
Customers Also Viewed These Support Documents