Renew CA Certificate authority on ISE

SMD28316 · ‎08-10-2021

For CA Certificates on ISE (deployment > system > certificates > certificate authority > certificate authority certificates), how can I restore these certificates if they became expired? I couldn't find the renew option.

and how do I check if they are safe to be removed? I mean will restoring them cause problems with EAP authentication? If so, should I restore them during a maintenance window?

Milos_Jovanovic · ‎08-10-2021

Hi @SMD28316

These are most often public CA certificates which are expiring these days (I remember seeing one few months ago, and one more is expiring again in next month or so). If that is the case, then you can't do anything - they are public CAs and they are ones responsible for renewing it. You get new CA certificates on your ISE deployment via upgrade or patch, if needed. In case you have your own CAs which are expiring, it is your responsibility to handle it.

Most often, these CA certificates are used to validate Cisco's services (such as Smart Licensing or updates needed for posturing). Cisco is well aware of this, and they are renewing certificates on their portals, and also replicates these changes on other systems, such as ISE (via patch or upgrade). Unless you configured some services manually to use these specific CAs, you can delete them and not to be worried. Either way, once expired, it is almost as good as deleted.

If you want to be on the safe side, you can manually export it before deleting it. This way, if it turned out you configured something and not aware of it, you can import it back (although I believe ISE wouldn't let you delete Root CA if it has some dependency in identity certificates).

BR,

Milos

hslai · ‎08-13-2021

Only ISE OCSP Responder certificates have the option for renewal. The others have the same expiration date as the root CA so we need replacing the whole ISE CA chains.

The options are available in the drop-down menu for Usage in the Certificate Signing Request page.