Solved: ISE Certificate

farih-kurniawan · ‎11-23-2025

Greetings everyone,

i just want to make sure. Is it possible if Cisco ISE work with 2 same certificates but had difference expiration date ? because this 2 certificates will expired in a short time. And so, if it possible for 2 same certificates work in simultaneously, the client will deploy new certificates gradually. Thank you

PSM · ‎11-23-2025

@farih-kurniawan ISE can have multiple certificates installed simultaneously, but you can't use for more then one certificate for 'admin' or 'EAP authentication' purpose. I assume your concern is becaise you are replacing certificate with a different CA signed certificate. If the new cert is from a different CA then you can trust both CA (existing and new)on endpoint side.

View solution in original post

PSM · ‎11-23-2025

@farih-kurniawan ISE can have multiple certificates installed simultaneously, but you can't use for more then one certificate for 'admin' or 'EAP authentication' purpose. I assume your concern is becaise you are replacing certificate with a different CA signed certificate. If the new cert is from a different CA then you can trust both CA (existing and new)on endpoint side.

farih-kurniawan · ‎11-24-2025

Thank you @PSM. i'm new in Cisco ISE. did you mean in 1 node it's must just only 1 certificates for admin or EAP ? if so, how if we want to renewal the certificate ? is there a source document that explain only 1 certificate for admin or EAP that prohibited in cisco ISE ?

PSM · ‎11-24-2025

@farih-kurniawan No problem. Here is the document.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-4/admin_guide/b_ise_admin_3_4/b_ISE_admin_basic_setup.html?bookSearch=true#reference_3CE11FC8D0F14A3285E37D197B5646A3

Marcelo Morais · ‎11-24-2025

@farih-kurniawan ,

looking at your image ... it's always a good practice to remove the Not in Use Certificate.

Please take a look at:

ISE - Queue Link Error, search for IMPORTANT 2: delete Old Internal Certificates is an important step.

Hope this helps !

farih-kurniawan · ‎11-25-2025

thank you @Marcelo Morais and if we want to switch to new EAP Certificate, we can do that when the existing one expired, or we can do that immediately as soon as possible before existing certificates expired ? we use two node Cisco ISE by the way, how the best practice to import certificates, one by one (per node) or simultaneously ?

Marcelo Morais · ‎11-25-2025

@farih-kurniawan ,

the recommended is:

switch to a new Certificate, before the existing one expired
import the new Certificate to all Nodes, one at a time
delete the old Certificate only after a few days of testing with the new Certificate

Note: always check not only the System Certificates, but also the Trusted Certificates (Administration > System > Certificates > Certificate Management) and Certificate Authority Certificates (at Administration > System > Certificates > Certificate Authority).

Hope this helps !

ajc · ‎11-25-2025

my 2 cents, there are a few BUGS we just found "and faced" when you have multiple certificates for the different "USAGE" (admin/portal/eap authentication). 2nd, replacing the certificate ask you to reboot ALL the nodes in the deployment but that process does not do anything at all. It is a known issue by TAC so once EVERY SINGLE node is back online (no matter how you schedule it) you have to repeat the certificate assignment manually on each node.