Re: ISE renew Root Certificate

star btsistem · ‎12-05-2021

Hi all,

We need to renew internal root certificate. When i try to import the new root certificate, it gives an alert

“A certificate with the the same private key has already been imported. In some situations, it may be necessary to import a duplicate certificate in ISE, for example, when a certificate is renewed in Microsoft CA Services without replacing the private key. If you proceed, the existing certificate will be replaced. Do you wish to replace the existing certificate?”.

If it replaces the old root certificate with the new one, do we need to renew the certificates that installed on the nodes used for EAP, admin, portal etc. ?

Thanks,

Greg Gibbs · ‎12-06-2021

If you renewed the CA certificate without changing the private key, the certificates signed by the previous CA will still trust the new Root CA cert. The serial number of the Root cert will change, but if you look at the identity certificates, they should still show that 'Certificate status is good'.

star btsistem · ‎12-07-2021

Hi Greg,

Thanks for your response. The MS Teams stated that the private key is not changed. The only change is the encryption type. It is changed from sha1 to sha256. Is this become a problem ?

Thanks,

Greg Gibbs · ‎12-08-2021

As long as the private key has not changed, it should not affect the certificate trust. However, if your identity certificates are also using SHA1, you should also replace them with new SHA256 certificates to increase the level of security.