Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
575
Views
5
Helpful
1
Replies

OCSP cert renewal

siddhesh.parab@orange.com1
Level 1
Level 1

‎04-15-2020 12:28 PM

Hello Team,

 

Please check attached error message (OCSP.PNG), This is generated when we tried to renew OCSP responder certificate.

we have 10 nodes in deployement, (2adm/2MnT/6 PSN)  running on 2.3 patch 7 

we are only using base & tacacs service and we have our own CA server installed in microsoft server.

 

we dont have BYOD service. 

 

Can any one please explain why we are getting that error while renewing OSCP certificate and how to mitigate that.

Also i have notice that our CA, EST & OCSP responder is disabled for admin & MnT node. Refer below snap

10 nodes.PNG

Thank in advanced. 

Preview file
3 KB
0 Helpful
1 Reply 1

Greg Gibbs
Cisco Employee
Cisco Employee

‎04-15-2020 04:23 PM

The OCSP Responder certificate is used by the ISE Internal CA as part of the BYOD services.

What is the reason for renewing the OCSP Responder certificate? If it is expiring/expired, the ISE Root CA that signed that certificate is likely also expiring/expired.

Have you tried replacing the entire ISE Root CA chain? If so, and you are getting the same error you will likely need to open a TAC case. I have seen that error referenced in other TAC cases related to Internal CA issues after an upgrade from an earlier version of ISE. The TAC engineer might have to issue a temporary Plus license to resolve the issue.

 

As for the CA, EST, and OCSP services Not Running on the Admin and MnT Nodes, this is normal. Only the PSNs run these services as they are the nodes that issue certificates to the endpoints.

 

Please note that ISE 2.3 is past the milestone for End of Software Maintenance so there will be no more patches for this version. It will also reach End of Support on 17 July 2020. You should strongly consider upgrading to a supported version ASAP.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents