cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2685
Views
5
Helpful
7
Replies

Local certificate 'Default self-signed saml server certificate will expire in X days

Senthilkumaran
Level 1
Level 1

Hi All,

 

   I am trying to renew my SAML certificate for the ISE environment but I have some clarification on this upgrade.

 

Whether I have to Generate a new CSR and then import the certificates.

or

In System Certificates -->  Can I generate Self Signed certificate and use it.

 

For external certificates, we need to create CSR and get it signed with External Authority, As this is Default Self signed which is going to expire do we need to generate a CSR for this too?

 

 

 

 

 

7 Replies 7

Greg Gibbs
Cisco Employee
Cisco Employee

If you just want to replace an expiring self-signed certificate with another self-signed cert (especially if it's a service you are not using), you would just use the Generate Self-Signed Certificate option and specify the Usage (SAML, in this case).

You might want to just add something in the OU field (like 'SAML') to ensure that the cert subject is not the same as any of the other certs, as ISE will not allow that.

Hi Greg,

 

   Thanks for the reply,  Now I am clear.

Hello Greg,

Our cert was expiring in a week so we renewed the self signed certificate for 10 years per the renewal option list box.  We did this and are now seeing the following issue when trying to connect to ISE via firefox portable (which was working fine previously).  

It states an error has occurred during a connection to 172.18.x.x.  You have received an invalid certificate.  Your certificate contains the same serial number as another certificate issued by the cert authority (this is a self signed again).  Please get a unique serial number - error code, sec error reused issuer and serial.

Please advise what can be done to reconnect to ISE - using firefox portable, we removed cert in firefox browser and it still does not work.

Removing exceptions in firefox browser 'server and authorization' areas did the trick to permit the new certificate to be used.

Arne Bier
VIP
VIP

Hello @Senthilkumaran 

 

You can renew the lifetime of any ISE self signed certificate. It's quicker than generating a CSR etc. It means that the private key will not change, and nor will the certificate's serial number. After the lifetime extension you will notice the new Valid From and Valid To dates, as well as a new SHA1 fingerprint.

 

Select the SAML System cert, click edit and then scroll to the bottom and edit.

 

ise-renew.PNG

Hi Arne Bier,

 

   Thanks for the reply,  Now I got clear about certificate renewal.

Hello Arne,

Our cert was expiring in a week so we renewed the self signed certificate for 10 years per the renewal option list box.  We did this and are now seeing the following issue when trying to connect to ISE via firefox portable (which was working fine previously).  

It states an error has occurred during a connection to 172.18.x.x.  You have received an invalid certificate.  Your certificate contains the same serial number as another certificate issued by the cert authority (this is a self signed again).  Please get a unique serial number - error code, sec error reused issuer and serial.

Please advise what can be done to reconnect to ISE - using firefox portable, we removed cert in firefox browser and it still does not work.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: