Solved: Re: ISE hostname changed but not updated in Internal CA Certs

pranav nandgaonkar · ‎05-25-2020

Hello,

Need help with CN name not updated in Internal CA Certs issue.

I have freshly installed Cisco ISE on 3615 hardware.

No configuration is present on the box and I changed serial number of ISE and restarted the services.

Updated serial number is visible everywhere but not updated in Internal CA certs.

I will be using ISE for Guest Access and TACACS and 3rd part CA will be used for signing the certs.

Will this issue affect any of the services and how can this be resolved.

Thanks in advance.

Marvin Rhoads · ‎05-25-2020

The serial number(s) in your internal CA certificates is completely independent of the serial number(s) of certificates generated by an external CA.

Marvin Rhoads · ‎05-25-2020

The serial number(s) in your internal CA certificates is completely independent of the serial number(s) of certificates generated by an external CA.

pranav nandgaonkar · ‎05-25-2020

Thanks for the reply. But I want to confirm regarding the hostname.

Eg: My hostname earlier was 'ABCISE01' but when I changed to 'PQRISE01' still in it's internal CA cert it is showing as 'ABCISE01'.

Any idea on how can I update the same.

Arne Bier · ‎05-25-2020

You mean to say Subject Name, and not Serial Number (because you can't change the ISE serial number ;-)

You have to generate a self signing request on your renamed ISE node and then your internal CA will be alright.

Administration > Certificates > Certificate Signing Requests

Click on Generate CRS - then select "ISE Root CA"

this is not disruptive. It will regenerate the internal CA Root, Node, and Issuing CA certs.