Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

star btsistem

ISE renew Root Certificate

Hi all,


We need to renew internal root certificate. When i try to import the new root certificate, it gives an alert 

“A certificate with the the same private key has already been imported. In some situations, it may be necessary to import a duplicate certificate in ISE, for example, when a certificate is renewed in Microsoft CA Services without replacing the private key. If you proceed, the existing certificate will be replaced. Do you wish to replace the existing certificate?”.


If it replaces the old root certificate with the new one, do we need to renew the certificates that installed on the nodes used for EAP, admin, portal etc. ?



Greg Gibbs
Cisco Employee

If you renewed the CA certificate without changing the private key, the certificates signed by the previous CA will still trust the new Root CA cert. The serial number of the Root cert will change, but if you look at the identity certificates, they should still show that 'Certificate status is good'.

Hi Greg,

Thanks for your response. The MS Teams stated that the private key is not changed. The only change is the encryption type. It is changed from sha1 to sha256. Is this become a problem ?



As long as the private key has not changed, it should not affect the certificate trust. However, if your identity certificates are also using SHA1, you should also replace them with new SHA256 certificates to increase the level of security.

Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube