Renew Default self-signed server certificate Cisco ISE 2.7

victormanuelsolis · ‎01-17-2025

Hello,

Our Default self-signed server certificates are about to expire, so I need to know if is possible to renew them manually editing them on this way without breaking the cluster.

Certificate to renew:

Deployment, 1 prim admin, 1 prim monitoring

ISE version 2.7

Thanks in advance

marce1000 · ‎01-17-2025

- FYI : https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217191-configuration-guide-to-certificate-renew.html
https://community.cisco.com/t5/security-knowledge-base/how-to-implement-digital-certificates-in-ise/ta-p/3630897

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rob Ingram · ‎01-18-2025

@victormanuelsolis refer to the ISE certificate renewal guide already provided. Bear in mind when you replace the "admin" certificate the ISE services will restart. Ideally you should use your internal CA to sign the certificates.

FYI, ISE 2.7 is End of Life and End of Support, you should look to upgrade asap. ISE 3.3 patch 4 is the current Cisco recommended version.

Aref Alsouqi · ‎01-18-2025

Yes you can renew that self-signed certificate by leveraging the "Renewal Period" feature. When you enable that tick box then you will have to define the period in which the certificate should be renewed before its expiry date.

victormanuelsolis · ‎01-24-2025

Thank for your answer, should I renew first the primary or secondary? take in count that we have different certificates for each box

Marcelo Morais · ‎01-19-2025

Hi @victormanuelsolis ,

please take a look at ISE - Queue Link Error, search for Generate Signing Requests (CSR).

Hope this helps !!!