cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

419
Views
5
Helpful
1
Replies

OCSP cert renewal

Hello Team,

 

Please check attached error message (OCSP.PNG), This is generated when we tried to renew OCSP responder certificate.

we have 10 nodes in deployement, (2adm/2MnT/6 PSN)  running on 2.3 patch 7 

we are only using base & tacacs service and we have our own CA server installed in microsoft server.

 

we dont have BYOD service. 

 

Can any one please explain why we are getting that error while renewing OSCP certificate and how to mitigate that.

Also i have notice that our CA, EST & OCSP responder is disabled for admin & MnT node. Refer below snap

10 nodes.PNG

Thank in advanced. 

1 REPLY 1
Greg Gibbs
Cisco Employee

The OCSP Responder certificate is used by the ISE Internal CA as part of the BYOD services.

What is the reason for renewing the OCSP Responder certificate? If it is expiring/expired, the ISE Root CA that signed that certificate is likely also expiring/expired.

Have you tried replacing the entire ISE Root CA chain? If so, and you are getting the same error you will likely need to open a TAC case. I have seen that error referenced in other TAC cases related to Internal CA issues after an upgrade from an earlier version of ISE. The TAC engineer might have to issue a temporary Plus license to resolve the issue.

 

As for the CA, EST, and OCSP services Not Running on the Admin and MnT Nodes, this is normal. Only the PSNs run these services as they are the nodes that issue certificates to the endpoints.

 

Please note that ISE 2.3 is past the milestone for End of Software Maintenance so there will be no more patches for this version. It will also reach End of Support on 17 July 2020. You should strongly consider upgrading to a supported version ASAP.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube