Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2440
Views
10
Helpful
6
Replies

ISE Certificates

Go to solution
ciscoworlds
Level 4
Level 4

‎04-18-2019 01:00 AM

Hi. 

There are 4 certificates under "Certificate Authority Certificates" menu which are Root, OCSP, Node and Endpoint. The validity period of these certificates is as long as 10 years (it shows 2029 as the expiration date).

 

Also by default there are a system certificate under "System Certificates" which is used for Admin, EAP Authentication, DTLS and Portals. The validity period of this certificate is as long as 1 year (it shows 2020 as the expiration date)

 

With these in mind, I think the system certificate used by ISE in EAP Authentication will expire in a year. Customer asked us to increase its validity period to 10 years, so they won't have to deal with expired certificate on 802.1x process after a year.

I know that using CSR menu on ISE GUI I can create a signing request and sign it with external CA. But how it is done as I want to use ISE internal CA instead to sign this new request and extend its validity period to 10 years? And at the first place why does the default self-signed system certificate on ISE has been set to be valid just for a single year despite that the Root CA certificate on the ISE valid for 10 years?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎04-18-2019 05:28 AM

That is a normal CA setup.  The root and Sub CAs usually have long lived certificates as they are used to issue and validate a chain of trust.  The actual certificates issued to end devices/clients have a much lower expiry time, typically in the 1-2 year range.  I don't believe any of the public CA providers do more than 2 years at this point. 

 

Your customer wants to use the internal ISE CA issued cert for EAP authentication and portals?  Have you explained to them that no one trusts the ISE internal CA and will get certificate warnings unless you turn off server validation (not a good idea) or distribute the ISE root CA cert to the clients' trusted root CA store?  The only thing I use the ISE internal CA cert for is pxGrid.

 

At this point if you client really doesn't care about certificates, you could just generate a self-signed certificate with a 15 year expiry and use that for everything.  If you want to use the ISE internal CA you can make a new template under the Certificate Template screen that has an expiry of up to 10 years and issue certs from that template.  Again none of this would I ever recommend to a customer.

View solution in original post

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to ciscoworlds

‎05-30-2019 01:58 PM

Let me clarify, you need to manually renew certificate. ISE does not automatically renew it for you.

 

-Krishnan

View solution in original post

6 Replies 6

Go to solution
paul
Level 10
Level 10

‎04-18-2019 05:28 AM

That is a normal CA setup.  The root and Sub CAs usually have long lived certificates as they are used to issue and validate a chain of trust.  The actual certificates issued to end devices/clients have a much lower expiry time, typically in the 1-2 year range.  I don't believe any of the public CA providers do more than 2 years at this point. 

 

Your customer wants to use the internal ISE CA issued cert for EAP authentication and portals?  Have you explained to them that no one trusts the ISE internal CA and will get certificate warnings unless you turn off server validation (not a good idea) or distribute the ISE root CA cert to the clients' trusted root CA store?  The only thing I use the ISE internal CA cert for is pxGrid.

 

At this point if you client really doesn't care about certificates, you could just generate a self-signed certificate with a 15 year expiry and use that for everything.  If you want to use the ISE internal CA you can make a new template under the Certificate Template screen that has an expiry of up to 10 years and issue certs from that template.  Again none of this would I ever recommend to a customer.

0 Helpful

Go to solution
ciscoworlds
Level 4
Level 4
In response to paul

‎04-18-2019 07:10 AM

just supposing that we have decided to increase the validity period of the system certificate on ISE which has one-year validity by default, what will be done on expiration date of that certificate? Does ISE renew its self-signed server certificate which is used for EAP Authentication before expiration date or we need to regenerate a new system certificate before expiration date manually?

 

my regards;

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to ciscoworlds

‎04-18-2019 10:38 AM

You will need to manually refresh the ISE certificate.


Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to paul

‎04-22-2019 09:01 PM

No appliance will automatically renew certificates. That is counter intuitive to security.

-Krishnan
0 Helpful

Go to solution
ciscoworlds
Level 4
Level 4
In response to kthiruve

‎05-06-2019 03:15 AM - edited ‎05-06-2019 03:16 AM

@kthiruve Do you mean that we won't need to manually renew the ISE self-signed system certificates used for EAP-authentication, portal, RADIUS, etc at all?

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to ciscoworlds

‎05-30-2019 01:58 PM

Let me clarify, you need to manually renew certificate. ISE does not automatically renew it for you.

 

-Krishnan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents