Solved: Renew "Certificate Services Node CA" Certificate over internal CA

marcelma · ‎07-12-2021

I'm looking for a way to renew the "Certificate Services Node CA" certificate that was signed by the internal Root CA.

The Node CA is expired but was not renewed by ise. I'm able to create a csr but can't find a way to sign it, except exporting and sign it with an external CA.

Any help would be appreciated.

Greg Gibbs · ‎07-12-2021

If the Node CA certificate is expired, it's likely the entire Root chain has also expired. You can generate a new Root CA chain from the Administration > System > Certificates > Certificate Management > Certificate Signing Requests > Generate Certificate Signing Requests (CSR) page by selecting the ISE Root CA usage.

View solution in original post

Greg Gibbs · ‎07-12-2021

If the Node CA certificate is expired, it's likely the entire Root chain has also expired. You can generate a new Root CA chain from the Administration > System > Certificates > Certificate Management > Certificate Signing Requests > Generate Certificate Signing Requests (CSR) page by selecting the ISE Root CA usage.

marcelma · ‎07-13-2021

Thanks, this is working.

My Root CA is still valid for a few jears but as I'm unable to sign thenode CA csr the Root CA renewal is a good workaround as ise created every Sub-CA new. I can now just remove the old certificates.

marinogr · ‎01-05-2024

This is working solution, thanks.

You need to "Enable Certificate Authority" if it is disabled.

Administration > System > Certificates > Certificate Authority > Internal CA Settings > Enable Certificate Authority