Solved: Renew Default self-signed server certificate Cisco ISE 2.7

victormanuelsolis · ‎01-17-2025

Hello,

Our Default self-signed server certificates are about to expire, so I need to know if is possible to renew them manually editing them on this way without breaking the cluster.

Certificate to renew:

Deployment, 1 prim admin, 1 prim monitoring

ISE version 2.7

Thanks in advance

Aref Alsouqi · ‎01-18-2025

Yes you can renew that self-signed certificate by leveraging the "Renewal Period" feature. When you enable that tick box then you will have to define the period in which the certificate should be renewed before its expiry date.

View solution in original post

marce1000 · ‎01-17-2025

- FYI : https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217191-configuration-guide-to-certificate-renew.html
https://community.cisco.com/t5/security-knowledge-base/how-to-implement-digital-certificates-in-ise/ta-p/3630897

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rob Ingram · ‎01-18-2025

@victormanuelsolis refer to the ISE certificate renewal guide already provided. Bear in mind when you replace the "admin" certificate the ISE services will restart. Ideally you should use your internal CA to sign the certificates.

FYI, ISE 2.7 is End of Life and End of Support, you should look to upgrade asap. ISE 3.3 patch 4 is the current Cisco recommended version.

Aref Alsouqi · ‎01-18-2025

Yes you can renew that self-signed certificate by leveraging the "Renewal Period" feature. When you enable that tick box then you will have to define the period in which the certificate should be renewed before its expiry date.

victormanuelsolis · ‎01-24-2025

Thank for your answer, should I renew first the primary or secondary? take in count that we have different certificates for each box

Aref Alsouqi · ‎01-25-2025

You're welcome. Why different certificates? both nodes are in the same deployment right? when you configure the option to renew the self-signed certs it would configured from the primary PAN and it would apply to the deployment not the individual nodes. So, when you do it from there you should be good to go with both nodes.

victormanuelsolis · ‎01-25-2025

thanks, I don't know why we have 2 different certificates, I received these boxes in this way, however I'll start with the renewal of the primary admin and hope it apply it to the secondary

Aref Alsouqi · ‎01-25-2025

Actually because they are self-signed certs it would make sense to have them different because each node would have generated its own certificate, but anyway, changing the renewal config would apply to both and you should be good with both of them.

victormanuelsolis · ‎01-27-2025

Just FYI,

Certificates renewed from the primary admin node and it replicated to the secondary, only 5 minutes of downtime due the restart of ISE application for both boxes. Duration for the renewed certificates: 10 years

Aref Alsouqi · ‎01-28-2025

Thanks for sharing the outcome and glad to hear it worked as expected.

Marcelo Morais · ‎01-19-2025

Hi @victormanuelsolis ,

please take a look at ISE - Queue Link Error, search for Generate Signing Requests (CSR).

Hope this helps !!!