Renew internal Intermediate CA

REJR77 · ‎06-14-2024

Hi,

We need to renew the Internal Intermediate CA certificate of our PKI.

This Intermediate CA is used to sign certificates for our laptops and we do 802.1x EAP-TLS with ISE

We need to renew the certs (only the expiracy date will change, private key will be the same).

On ISE what would be the exact procedure to replace the old cert with the new one? Just reimport it over the old one? or can we have both certs in parallel? What about laptops signed with the old intermediate cert?

Thanks

regards

balaji.bandi · ‎06-14-2024

I dont this ISE will accepts 2 root certs same.

you can renew the certs is easy method with new certs as below :

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217191-configuration-guide-to-certificate-renew.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Arne Bier · ‎06-14-2024

If you have a situation like this

Root CA (unchanged
  Old Intermediate CA 1 
  Old Intermediate CA 2

Then by creating a new Intermediate CA pair as shown below, you can simply import them into ISE under Trusted Certs and then you will have

Root CA (unchanged
  Old Intermediate CA 1 
  Old Intermediate CA 2
  New Intermediate CA 3
  New Intermediate CA 4

The PCs can be re-issued their client certs using CA 3 and CA 4

Once CA 1 and CA 2 are no longer needed (or have expired) then delete them from ISE Trusted Certs.

Does the new Intermediate affect your ISE EAP System Cert at all? Was it also signed by CA1/2 ? if so, then you must in addition to the above, also re-issue a new ISE EAP System Cert for ISE. Your clients won't have an issue with that, because all of this related back to the Root CA, which is installed in ISE and on the clients.

Rule 1: Always install the new CA certs in ISE and clients BEFORE creating new endpoint certs (for the PC) or new ISE EAP System certs!