Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
122
Views
0
Helpful
1
Replies

Renew intermediate CA: potential impact on ISE deployment and EAP auth

REJR77
Level 1
Level 1

‎07-11-2024 05:49 AM

Dear all

In an ISE deployment with 4 ISE nodes (2 PAN and 2 PSN) we have qustions with Intermediate CA renewal

Here is our PKI infrastructure:

-MY-Root.CA (Root CA)

  • MY1-Issuing-CA (Intermediate CA) (Exp date 26/05/2025 S/N: xxxxxxxx00002)
  • MY2-Issuing-CA (Intermediate CA) (Exp date 26/05/2025 S/N: xxxxxxxx00003)

- Windows Endpoints have Clients certs used for EAP authentication signed by these 2 Issuing CA

- ISE nodes have all certs signed also by these Intermedaite CA

 

The 2 Intermediate CA are expiring in May 2025 and the customer has renewed them while keeping the Private Keys (Looks possible in Microsoft). So we have now 2 Intermediate CA with same private keys as before and different serial numbers

-MY-Root.CA (Root CA) (nothing changed)

  • MY1-Issuing-CA (Intermediate CA) (Exp date 26/05/2035 S/N: xxxxxxxx00005)
  • MY2-Issuing-CA (Intermediate CA) (Exp date 26/05/2035 S/N: xxxxxxxx00004)

We have updated the Intermediate CA in ISE Trusted Store with the new ones. As the private keys remain the same, new Intermediate certs replaced the former ones. And for now it looks that everything is working fine regarding the EAP authentication and ISE deployment.

We now need to renew ISE certs for Admin, EAP and PxGrid and I wonder if we are not in a bad situation where everything will brake (ISE deployment and EAP authentication).

Any recommandation? In which order renewing Admin / EAP certs on the nodes (PPAN first or SPAN or PSN?)

More globally how do you manage this Intermediate CA renewal?

Thanks

 

 

pki.png

0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎07-11-2024 02:26 PM

You're right about certificate hygiene in general - I have not seen a lot of industry guidance (best practices) about those Day 2 type of operations. 

But I also don't foresee any issues with you renewing the Admin cert of an ISE node, where the cert is issued by one of the new Intermediate CAs. As long as your web browsers have that new intermediate installed in their Trust Store, then all should be good. Renewing admin cert will restart services. I think you should renew the admin BEFORE the EAP cert, to prove the theory (less can go wrong).

Your EAP clients must of course have the new Intermediate CA certs in their trust store BEFORE you renew the ISE EAP system certs.  Renewing ISE EAP system certs does not restart services. It will replace the EAP system cert for the PSN that you are renewing.

Why was preserving the private keys of your previous Intermediate certs done?  Isn't that one of the security reasons for updating certs?

 

0 Helpful
Customers Also Viewed These Support Documents