Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1091
Views
4
Helpful
7
Replies

Microsoft Azure TLS Issuing CA certificate expire in Cisco ISE

Ariel_DF
Level 1
Level 1

‎05-30-2024 04:58 AM

Hello everyone,
We have these Azure certificates installed on a Cisco ISE server, to support the MDM integration:
Microsoft Azure TLS Issuing CA 01
Microsoft Azure TLS Issuing CA 02
Microsoft Azure TLS Issuing CA 05
Microsoft Azure TLS Issuing CA 06

ISE is reporting that these certificates will expire in 32 days. I've tried to locate the new certificates but without success. 
Anyone else has happened?? Would you know of any solution?

Thanks!!

0 Helpful
7 Replies 7

marce1000
VIP
VIP

‎05-30-2024 06:45 AM

 

         - FYI : https://learn.microsoft.com/en-us/answers/questions/1638370/when-will-microsoft-azure-tls-issuer-be-updated-(e
                             Scroll down to the Accepted Answer ,

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Ariel_DF
Level 1
Level 1
In response to Greg Gibbs

‎06-03-2024 12:49 AM

Thanks for the response, I'm going to try to load those certificates to see if everything works OK.

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to Ariel_DF

‎06-04-2024 03:07 PM - edited ‎06-04-2024 03:08 PM

Actually, an update on this... as per the most recent updates to this MS document, the certificate rotation for the API endpoints used for the Compliance Retrieval (NAC 2.0) API have resulted in ISE only needing to trust the DigiCert Global Root G2 CA certificate for the MDM lookups to work.

"Network Access Control (NAC) note

For all Network Access Control (NAC) scenarios, when using a 3rd party provider such as Cisco, please be sure your NAC provider has validated their root CA config. They should have how to do this documented, but in case they don’t:

  1. Add DigiCert Global Root G2 to their trusted CA store
  2. For some providers, they many need to validate the configuration and update as needed.
  3. Confirm your network can receive traffic so that the configuration can be pushed down to individual ISE boxes.
  4. For some providers note that it can take time for updates to be distributed."

My guess is that MS fixed something in the way the certificate signing or chain was done in the past.

I removed all of the MS TLS and MS RSA TLS certs from my ISE instance and the Intune MDM lookups still work as expected. Only if I delete the DigiCert Global Root G2 CA certificate, can I make the lookups fail. This is actually how one would expect the trust to properly work.

Ariel_DF
Level 1
Level 1
In response to Greg Gibbs

‎06-05-2024 01:04 AM

Hello Greg, 

I had seen this a few days ago, but I had doubts because of what it says in this link:

https://techcommunity.microsoft.com/t5/azure-storage-blog/azure-storage-tls-changes-intermediate-certificate-renewals/ba-p/3929149

We have yet to define a work window outside of business hours to do this, but what you mentioned has been of great help to me.

Thanks!! 

 

 

0 Helpful

craiglebutt
Level 4
Level 4
In response to Greg Gibbs

‎06-21-2024 12:57 AM

Hi, I remember settring these certs up agaes ago, to clarify this is for just the MDM part for ISE?  If ISE is not carrying out the MDM, we don't need to bothere about this?

Cheers

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to craiglebutt

‎06-21-2024 03:55 PM

@craiglebutt... correct. Also, I believe the Digicert Global Root G2 CA cert is installed in the Trust Store by default in more recent versions of ISE as it likely signs other public certs as well.

Customers Also Viewed These Support Documents