04-18-2019 01:00 AM
Hi.
There are 4 certificates under "Certificate Authority Certificates" menu which are Root, OCSP, Node and Endpoint. The validity period of these certificates is as long as 10 years (it shows 2029 as the expiration date).
Also by default there are a system certificate under "System Certificates" which is used for Admin, EAP Authentication, DTLS and Portals. The validity period of this certificate is as long as 1 year (it shows 2020 as the expiration date)
With these in mind, I think the system certificate used by ISE in EAP Authentication will expire in a year. Customer asked us to increase its validity period to 10 years, so they won't have to deal with expired certificate on 802.1x process after a year.
I know that using CSR menu on ISE GUI I can create a signing request and sign it with external CA. But how it is done as I want to use ISE internal CA instead to sign this new request and extend its validity period to 10 years? And at the first place why does the default self-signed system certificate on ISE has been set to be valid just for a single year despite that the Root CA certificate on the ISE valid for 10 years?
Solved! Go to Solution.
04-18-2019 05:28 AM
That is a normal CA setup. The root and Sub CAs usually have long lived certificates as they are used to issue and validate a chain of trust. The actual certificates issued to end devices/clients have a much lower expiry time, typically in the 1-2 year range. I don't believe any of the public CA providers do more than 2 years at this point.
Your customer wants to use the internal ISE CA issued cert for EAP authentication and portals? Have you explained to them that no one trusts the ISE internal CA and will get certificate warnings unless you turn off server validation (not a good idea) or distribute the ISE root CA cert to the clients' trusted root CA store? The only thing I use the ISE internal CA cert for is pxGrid.
At this point if you client really doesn't care about certificates, you could just generate a self-signed certificate with a 15 year expiry and use that for everything. If you want to use the ISE internal CA you can make a new template under the Certificate Template screen that has an expiry of up to 10 years and issue certs from that template. Again none of this would I ever recommend to a customer.
05-30-2019 01:58 PM
Let me clarify, you need to manually renew certificate. ISE does not automatically renew it for you.
-Krishnan
04-18-2019 05:28 AM
That is a normal CA setup. The root and Sub CAs usually have long lived certificates as they are used to issue and validate a chain of trust. The actual certificates issued to end devices/clients have a much lower expiry time, typically in the 1-2 year range. I don't believe any of the public CA providers do more than 2 years at this point.
Your customer wants to use the internal ISE CA issued cert for EAP authentication and portals? Have you explained to them that no one trusts the ISE internal CA and will get certificate warnings unless you turn off server validation (not a good idea) or distribute the ISE root CA cert to the clients' trusted root CA store? The only thing I use the ISE internal CA cert for is pxGrid.
At this point if you client really doesn't care about certificates, you could just generate a self-signed certificate with a 15 year expiry and use that for everything. If you want to use the ISE internal CA you can make a new template under the Certificate Template screen that has an expiry of up to 10 years and issue certs from that template. Again none of this would I ever recommend to a customer.
04-18-2019 07:10 AM
just supposing that we have decided to increase the validity period of the system certificate on ISE which has one-year validity by default, what will be done on expiration date of that certificate? Does ISE renew its self-signed server certificate which is used for EAP Authentication before expiration date or we need to regenerate a new system certificate before expiration date manually?
my regards;
04-18-2019 10:38 AM
04-22-2019 09:01 PM
05-06-2019 03:15 AM - edited 05-06-2019 03:16 AM
@kthiruve Do you mean that we won't need to manually renew the ISE self-signed system certificates used for EAP-authentication, portal, RADIUS, etc at all?
05-30-2019 01:58 PM
Let me clarify, you need to manually renew certificate. ISE does not automatically renew it for you.
-Krishnan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide