Microsoft Azure TLS Issuing CA certificate expire in Cisco ISE

Ariel_DF · ‎05-30-2024

Hello everyone,
We have these Azure certificates installed on a Cisco ISE server, to support the MDM integration:
Microsoft Azure TLS Issuing CA 01
Microsoft Azure TLS Issuing CA 02
Microsoft Azure TLS Issuing CA 05
Microsoft Azure TLS Issuing CA 06

ISE is reporting that these certificates will expire in 32 days. I've tried to locate the new certificates but without success.
Anyone else has happened?? Would you know of any solution?

Thanks!!

marce1000 · ‎05-30-2024

- FYI : https://learn.microsoft.com/en-us/answers/questions/1638370/when-will-microsoft-azure-tls-issuer-be-updated-(e
Scroll down to the Accepted Answer ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Greg Gibbs · ‎05-31-2024

https://techcommunity.microsoft.com/t5/azure-storage-blog/azure-storage-tls-changes-intermediate-certificate-renewals/ba-p/3929149

Ariel_DF · ‎06-03-2024

Thanks for the response, I'm going to try to load those certificates to see if everything works OK.

Greg Gibbs · ‎06-04-2024

Actually, an update on this... as per the most recent updates to this MS document, the certificate rotation for the API endpoints used for the Compliance Retrieval (NAC 2.0) API have resulted in ISE only needing to trust the DigiCert Global Root G2 CA certificate for the MDM lookups to work.

"Network Access Control (NAC) note

For all Network Access Control (NAC) scenarios, when using a 3^rd party provider such as Cisco, please be sure your NAC provider has validated their root CA config. They should have how to do this documented, but in case they don’t:

Add DigiCert Global Root G2 to their trusted CA store.
For some providers, they many need to validate the configuration and update as needed.
Confirm your network can receive traffic so that the configuration can be pushed down to individual ISE boxes.
For some providers note that it can take time for updates to be distributed."

My guess is that MS fixed something in the way the certificate signing or chain was done in the past.

I removed all of the MS TLS and MS RSA TLS certs from my ISE instance and the Intune MDM lookups still work as expected. Only if I delete the DigiCert Global Root G2 CA certificate, can I make the lookups fail. This is actually how one would expect the trust to properly work.

Ariel_DF · ‎06-05-2024

Hello Greg,

I had seen this a few days ago, but I had doubts because of what it says in this link:

https://techcommunity.microsoft.com/t5/azure-storage-blog/azure-storage-tls-changes-intermediate-certificate-renewals/ba-p/3929149

We have yet to define a work window outside of business hours to do this, but what you mentioned has been of great help to me.

Thanks!!

craiglebutt · ‎06-21-2024

Hi, I remember settring these certs up agaes ago, to clarify this is for just the MDM part for ISE? If ISE is not carrying out the MDM, we don't need to bothere about this?

Cheers

Greg Gibbs · ‎06-21-2024

@craiglebutt... correct. Also, I believe the Digicert Global Root G2 CA cert is installed in the Trust Store by default in more recent versions of ISE as it likely signs other public certs as well.