Showing results for 
Search instead for 
Did you mean: 

ISE renew Root Certificate

star btsistem

Hi all,


We need to renew internal root certificate. When i try to import the new root certificate, it gives an alert 

“A certificate with the the same private key has already been imported. In some situations, it may be necessary to import a duplicate certificate in ISE, for example, when a certificate is renewed in Microsoft CA Services without replacing the private key. If you proceed, the existing certificate will be replaced. Do you wish to replace the existing certificate?”.


If it replaces the old root certificate with the new one, do we need to renew the certificates that installed on the nodes used for EAP, admin, portal etc. ?




Greg Gibbs
Cisco Employee
Cisco Employee

If you renewed the CA certificate without changing the private key, the certificates signed by the previous CA will still trust the new Root CA cert. The serial number of the Root cert will change, but if you look at the identity certificates, they should still show that 'Certificate status is good'.

Hi Greg,

Thanks for your response. The MS Teams stated that the private key is not changed. The only change is the encryption type. It is changed from sha1 to sha256. Is this become a problem ?



As long as the private key has not changed, it should not affect the certificate trust. However, if your identity certificates are also using SHA1, you should also replace them with new SHA256 certificates to increase the level of security.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: