Re: ISE - Renew of PAN Certificate Services Node CA

LAN team · ‎08-31-2022

Hello,

The PAN Certificate Services Node CA issued by the PAN Certificate Services Root CA soon expire. I guess it was generate automatically during the installation of the ISE.

We don't use it for admin, eap, radius, portal etc services as we're using the company PKI.

But some internal certificate as OCSP and ISE Messaging service are issued by the PAN Certificate Services Node CA.

I've read some doc about to renew OCSP, ISE Messaging service certificates but nothing about PAN Certificate Services Node CA.

Does it mean I've to renew the whole ISE Root CA Certificate chain ?

Damien Miller · ‎08-31-2022

Depending on the expiration of the root CA cert you may need to but it's unlikely to be expiring. If I remember correctly then the root certificate is issued for ten years. The Sub CA/intermediate is also a ten year cert by default. The OCSP and ISE Messaging do expire at five or less so you can run through renewing those in the GUI on the "Certificate Signing Requests" page.

LAN team · ‎09-01-2022

The root CA expires in 2027, then no soucy with this one, but the service sub CA and the service node CA expire in 2022. (and all the internal certificate also)

Then my question is how can I renew the service node CA certificate and the service sub CA certificate ? May I have to renew the whole certificate chain ?