Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1872
Views
25
Helpful
4
Replies

ISE: how to extend the due of certification

Go to solution
naoki_Japan
Spotlight
Spotlight

‎10-12-2021 04:33 AM - edited ‎10-12-2021 05:20 AM

I found that there are 4 self-signed certifications on the ISE by default.

One of them is for SAML, only which of the due can be extended by checking the " Renewal Period" box and enter the TTL.

 
 
However, as for the other certifications, I can not check the box and not extend the due.
moreover, for certification of ISE Messaging service, I notice that I cannot create it on the panel >Generate Self Signed Certificate
 
 
please tell me how can I handle this problem.
should I create new certification ?
how can I extend the due of certification of  ISE Messaging service and others?
Labels:
2 Accepted Solutions

Accepted Solutions

Go to solution
ComputerRick
Cisco Employee
Cisco Employee

‎10-12-2021 06:45 AM

For the ISE Messaging Service, it is generated from the Internal CA service that runs on ISE.

The Messaging cert is not extended, and for this case, I would suggest regenerating the ISE Root CA.

Go to Certificates, then Certificate Signing Requests, and Generate CSR.  There will be a pull-down menu, select ISE Root CA from that and then the Generate button.  The pull-down will also have the ISE Messaging cert, among others.  If your messaging cert is about to expire, it's likely expiring on more than one node and a new root would be a better method.

 

HTH.

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ComputerRick

‎10-12-2021 09:02 AM

In addition to what @ComputerRick correctly noted, you must first have the Internal Certificate Authority (CA) enabled for the ISE Root CA option to be available as an option.

Administration > System > Certificates > Certificate Authority > Internal CA settings > Enable Certificate Authority

View solution in original post

4 Replies 4

Go to solution
ComputerRick
Cisco Employee
Cisco Employee

‎10-12-2021 06:45 AM

For the ISE Messaging Service, it is generated from the Internal CA service that runs on ISE.

The Messaging cert is not extended, and for this case, I would suggest regenerating the ISE Root CA.

Go to Certificates, then Certificate Signing Requests, and Generate CSR.  There will be a pull-down menu, select ISE Root CA from that and then the Generate button.  The pull-down will also have the ISE Messaging cert, among others.  If your messaging cert is about to expire, it's likely expiring on more than one node and a new root would be a better method.

 

HTH.

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ComputerRick

‎10-12-2021 09:02 AM

In addition to what @ComputerRick correctly noted, you must first have the Internal Certificate Authority (CA) enabled for the ISE Root CA option to be available as an option.

Administration > System > Certificates > Certificate Authority > Internal CA settings > Enable Certificate Authority

Go to solution
naoki_Japan
Spotlight
Spotlight
In response to Marvin Rhoads

‎10-13-2021 05:43 PM

Your advice solved the problem I had.
THX!!!

 

0 Helpful

Go to solution
naoki_Japan
Spotlight
Spotlight
In response to ComputerRick

‎10-13-2021 05:40 PM

As you advised, I set up internal CA and got it!!!

 

thank you for support!! appreciate it!!

Customers Also Viewed These Support Documents