Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11926
Views
16
Helpful
5
Replies

ISE OCSP Responder Certificate expiring

Go to solution
colossus1611
Level 1
Level 1

‎07-01-2021 07:57 PM

Hello,

 

We have a couple of OCSP responder certificates expiring after 60 days. When I check the 'Issued by' column it has the name of one of the other node on it, which is the PAN.

 

However, I am at a loss about how do I go further to renew it. There seems to be no basic documentation to cover this, but I am sure it is quite simple.

 

How do I go about renewing it?

 

Friendly Name Status Trusted For Issued To Issued By Valid From Expiration Date
Certificate Services OCSP Responder - ISE01#00016 Enabled Endpoints,Infrastructure Certificate Services OCSP Responder - ISE01 Certificate Services Root CA - ISE02 Sun, 25 Sep 2016 Sun, 26 Sep 2021
Certificate Services Endpoint Sub CA - ISE01#00017 Enabled Infrastructure,Endpoints Certificate Services Endpoint Sub CA - ISE01 Certificate Services Root CA - ISE02 Sun, 25 Sep 2016 Sun, 26 Sep 2021

 

 

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎07-04-2021 02:53 PM

Hi @colossus1611 

 

It's kind of hidden

 

renew.png

View solution in original post

5 Replies 5

Go to solution
Arne Bier
VIP
VIP

‎07-04-2021 02:53 PM

Hi @colossus1611 

 

It's kind of hidden

 

renew.png

Go to solution
colossus1611
Level 1
Level 1

‎07-14-2021 06:38 PM

Hi @Arne Bier ,

 

Thank you! I didn't notice your response and was wondering how to go about this. So basically this will renew it same as self-signed certificates it seems.

 

I will give it a go sometime today. Correct me if I am wrong but I think business hours should be fine as it shouldn't cause any disruption by the look of it.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to colossus1611

‎07-14-2021 07:14 PM - edited ‎07-14-2021 09:02 PM

It won't cause any outage - the cert's private key is retained, and all that happens is that the new cert has a new start and end date and a new signature (hash). Serial number should also remain as is, as far as I know. 

 

**Correction: The Serial number is different - this implies that the certificate is actually regenerated. But it's pretty quick - should be done in less than a minute.

Go to solution
colossus1611
Level 1
Level 1

‎07-14-2021 07:39 PM - edited ‎07-14-2021 08:56 PM

Hi @Arne Bier ,

 

Thanks again. I did go through the renewal process which seems to be just a single click with no selection of nodes required. It's been about an hour now and the certificates are still displaying an old expiry date, though it did suggest it may take some time at time of renewal.

 

Interesting that it did not ask for a node name at all and yet all the nodes currently have a different OCSP expiry date.

 

I might have to do this again - don't think the renewal will kick in now, given that it has already been more than an hour of wait.

 

 

0 Helpful

Go to solution
ivan_abibe
Level 1
Level 1

‎02-21-2023 05:29 AM

Did they eventually renew? I also did the same and it's been a while not sure how long we are supposed to wait 

0 Helpful
Customers Also Viewed These Support Documents