cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

245
Views
0
Helpful
7
Replies
Highlighted
Beginner

Renew SCEP RA certificate in ISE

Hi!

 

The RA certificate has been renewed in Active Directory due to it soon to be expired. Now I have to adjust the SCEP RA Profile in ISE, and I have some questions.

 

I am going to follow this guide: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200543-Renew-SCEP-RA-certificate-on-Windows-Ser.html

 

And if I understand correctly, I will have to create a new SCEP RA profile to download the new certificates to the ISE trust Certificate Store, and re-bind my certificate template to the new SCEP RA profile.

 

My question is, what am I suppose to do with the old SCEP RA profile? Just leave it be? I found that if I remove it, ISE will per auto clean up the Certificate Trust store for the whole cert chain used in the SCEP RA profile: "When a SCEP RA Profile is removed, the associated CA chain is also removed from the Trusted Certificates Store.". That would remove the RootCA used for all my EAP and Admin certs, so I do not want to do that. But I don't want to have expired certs in ISE trust store also (the RA certificates).

 

If I leave the old SCEP RA profile be, can I safely remove the old RA Certificates in the ISE Certificate Trust Store? So that I don't have any expired certs in my trust store. See attached image of the RA cert in ISE Trusted Certificates Store that I want gone:

 

ISE Trusted Certificates StoreISE Trusted Certificates Store

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Renew SCEP RA certificate in ISE

Thanks for pointing it out. That doc was updated due to CSCvn85523 and an issue associated with CSCvn85484. The latter is addressed in ISE 2.2 Patch 15, 2.3 Patch 7, 2.4 Patch 9, and 2.6 Patch 1.

PS: I've reopened the doc bug and asked for doc correction.

View solution in original post

7 REPLIES 7
Highlighted
Cisco Employee

Re: Renew SCEP RA certificate in ISE

i believe you can’t remove old RA certificate alone as it is referenced by your old SCEP RA profile.
If your root certificates are same as older one, ideally it should get imported when you are adding new SCEP RA profile.
What you could do ?
Just to be cautious, please take a backup of the existing certificates .
Create a new SCEP RA profile which would add new root CA chain along with new RA certs.
Bind it to your on-boarding profiles. Try to on-board the devices and ensure endpoints are getting certificates using new SCEP RA profile and RA certificates itself.
Then you could try removing old SCEP RA profile which would clean up old RA certs.

Highlighted
Beginner

Re: Renew SCEP RA certificate in ISE

Thank you for answering.

 

"

Then you could try removing old SCEP RA profile which would clean up old RA certs.

"

 

Would that not remove the whole cert chain and by that the rootCA also? The rootCA that has signed the intermediate that signed the RA cert is the same rootCA that has signed the intermediate that has signed the certs for Admin and EAP. Would that not risk the inter-node communication as well as EAP in ISE if the rootCA disappears in the trust store?

 

 

Everyone's tags (1)
Highlighted
Cisco Employee

Re: Renew SCEP RA certificate in ISE

No, removing the SCEP RA profile does not delete certificates in ISE trusted certificates store.

Highlighted
Beginner

Re: Renew SCEP RA certificate in ISE

Ok, the following is written in the admin guide, is that not correct? "When a SCEP RA Profile is removed, the associated CA chain is also removed from the Trusted Certificates Store."

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_011100.html

Highlighted
Cisco Employee

Re: Renew SCEP RA certificate in ISE

Thanks for pointing it out. That doc was updated due to CSCvn85523 and an issue associated with CSCvn85484. The latter is addressed in ISE 2.2 Patch 15, 2.3 Patch 7, 2.4 Patch 9, and 2.6 Patch 1.

PS: I've reopened the doc bug and asked for doc correction.

View solution in original post

Highlighted
Beginner

Re: Renew SCEP RA certificate in ISE

Ok thank you. I am running 2.3 patch 6 so what are the correct procedure in that case?

Highlighted
Cisco Employee

Re: Renew SCEP RA certificate in ISE

I would suggest to apply Patch 7, which released on 07-Aug-2019, first.