08-27-2020 07:47 AM
Hi All,
I am trying to renew my SAML certificate for the ISE environment but I have some clarification on this upgrade.
Whether I have to Generate a new CSR and then import the certificates.
or
In System Certificates --> Can I generate Self Signed certificate and use it.
For external certificates, we need to create CSR and get it signed with External Authority, As this is Default Self signed which is going to expire do we need to generate a CSR for this too?
08-27-2020 04:56 PM
If you just want to replace an expiring self-signed certificate with another self-signed cert (especially if it's a service you are not using), you would just use the Generate Self-Signed Certificate option and specify the Usage (SAML, in this case).
You might want to just add something in the OU field (like 'SAML') to ensure that the cert subject is not the same as any of the other certs, as ISE will not allow that.
08-31-2020 04:36 AM
Hi Greg,
Thanks for the reply, Now I am clear.
09-02-2020 06:13 AM
Hello Greg,
Our cert was expiring in a week so we renewed the self signed certificate for 10 years per the renewal option list box. We did this and are now seeing the following issue when trying to connect to ISE via firefox portable (which was working fine previously).
It states an error has occurred during a connection to 172.18.x.x. You have received an invalid certificate. Your certificate contains the same serial number as another certificate issued by the cert authority (this is a self signed again). Please get a unique serial number - error code, sec error reused issuer and serial.
Please advise what can be done to reconnect to ISE - using firefox portable, we removed cert in firefox browser and it still does not work.
09-02-2020 08:12 AM
Removing exceptions in firefox browser 'server and authorization' areas did the trick to permit the new certificate to be used.
08-27-2020 09:18 PM
Hello @Senthilkumaran
You can renew the lifetime of any ISE self signed certificate. It's quicker than generating a CSR etc. It means that the private key will not change, and nor will the certificate's serial number. After the lifetime extension you will notice the new Valid From and Valid To dates, as well as a new SHA1 fingerprint.
Select the SAML System cert, click edit and then scroll to the bottom and edit.
08-31-2020 04:35 AM
Hi Arne Bier,
Thanks for the reply, Now I got clear about certificate renewal.
09-02-2020 06:14 AM
Hello Arne,
Our cert was expiring in a week so we renewed the self signed certificate for 10 years per the renewal option list box. We did this and are now seeing the following issue when trying to connect to ISE via firefox portable (which was working fine previously).
It states an error has occurred during a connection to 172.18.x.x. You have received an invalid certificate. Your certificate contains the same serial number as another certificate issued by the cert authority (this is a self signed again). Please get a unique serial number - error code, sec error reused issuer and serial.
Please advise what can be done to reconnect to ISE - using firefox portable, we removed cert in firefox browser and it still does not work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide