ISE renew Root Certificate with the same private key

KOAVA · ‎10-22-2024

Hello all,

We renewed our windows internal root ca server certificate using the same public key and we want to renew our ISE root certificate as well.
For the certificate import into ISE server we go to the menu Administration > System> Certificates > Trusted Certificates.

As soon as we try to import the certificate ISE give us the below alert.
“A certificate with the the same private key has already been imported. In some situations, it may be necessary to import a duplicate certificate in ISE, for example, when a certificate is renewed in Microsoft CA Services without replacing the private key. If you proceed, the existing certificate will be replaced. Do you wish to replace the existing certificate?”.

Will this impact endpoints that have already auto enrolled with the old root certificate CA?

Is it possible that the clients with the old certificate may experience any disruptions?
When we replace these certificate, will our clients get any kind of warning or prompt that we need to be aware of?

Thank you.

Flavio Miranda · ‎10-22-2024

@KOAVA

Similar thread here in the forum with Cisco answers

https://community.cisco.com/t5/network-access-control/ise-renew-root-certificate/td-p/4513602

Aref Alsouqi · ‎10-23-2024

You get that warning when you try to import the system certificate or the trusted certificate? I wouldn't expect the trusted certificate to have any reference to the private key in it as those trusted certificates would only include the public keys.

KOAVA · ‎10-24-2024

@Aref AlsouqiI get the error when i try to import the cert on the Trusted certificates store.

Aref Alsouqi · ‎10-24-2024

Just curious if you could share a screenshot of this? anyway, replacing the existing certificate in ISE shouldn't have any impact on the endpoints nor on the authentication sessions as here we are referring to the same internal CA/issuer.