Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2684
Views
0
Helpful
3
Replies

ISE Expired Certificate

Go to solution
MohamedSamer47595
Level 1
Level 1

‎11-06-2020 05:49 AM

Hello,

I have a question about Cisco ISE expired certificate. I attached a screenshot of the certificate which has expired, it is used for (Trust for authentication within ISE, Trust for client Authentication and Syslog, and Trust for certificate-based admin authentication), is it safe to delete this certificate since it's already expired? 

And if it should be renewed, how is it renewed? Should I generate a new self-signed certificate and assign these 3 roles to it? 

It's a distributed deployment.

 

Thanks Screenshot 2020-10-27 at 12.27.08 (1).png

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎11-08-2020 03:12 PM - edited ‎11-08-2020 03:13 PM

This certificate is for "ISE OCSP Responder" of ISE internal CA. If you are not finding a valid certificate with the same subject name, then please go to Administration > System > Certificates > Certificate Management > Certificate Signing Request and choose to renew it. If another one already there with the same subject and valid, then it's safe to delete it.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Nicolai Borchorst
Level 1
Level 1

‎11-06-2020 09:48 AM

This does not look like a default ISE Certificate. Since it's expired it's say its safe to delete it. No need to generate a new certificate to replace the "Trust For" options.

The Trust For options simply states whether the certificate should be used for trust within ISE (Example node clustering), Client authentication and syslog (Client authentications, obviously..) and trust for admin authentication. You could have lots of certificates with all these options enabled so deleting it does not necessary mean that you need to enable it on other certificates. 

Best Regards
Nicolai Borchorst
CCIE Security #65775
0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎11-08-2020 09:09 AM

Create a new certificate and assign it the roles then delete your expired, unused certificate.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎11-08-2020 03:12 PM - edited ‎11-08-2020 03:13 PM

This certificate is for "ISE OCSP Responder" of ISE internal CA. If you are not finding a valid certificate with the same subject name, then please go to Administration > System > Certificates > Certificate Management > Certificate Signing Request and choose to renew it. If another one already there with the same subject and valid, then it's safe to delete it.

0 Helpful
Customers Also Viewed These Support Documents