cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2423
Views
0
Helpful
7
Replies

Renew SCEP RA certificate in ISE

robo0003c
Level 1
Level 1

Hi!

 

The RA certificate has been renewed in Active Directory due to it soon to be expired. Now I have to adjust the SCEP RA Profile in ISE, and I have some questions.

 

I am going to follow this guide: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200543-Renew-SCEP-RA-certificate-on-Windows-Ser.html

 

And if I understand correctly, I will have to create a new SCEP RA profile to download the new certificates to the ISE trust Certificate Store, and re-bind my certificate template to the new SCEP RA profile.

 

My question is, what am I suppose to do with the old SCEP RA profile? Just leave it be? I found that if I remove it, ISE will per auto clean up the Certificate Trust store for the whole cert chain used in the SCEP RA profile: "When a SCEP RA Profile is removed, the associated CA chain is also removed from the Trusted Certificates Store.". That would remove the RootCA used for all my EAP and Admin certs, so I do not want to do that. But I don't want to have expired certs in ISE trust store also (the RA certificates).

 

If I leave the old SCEP RA profile be, can I safely remove the old RA Certificates in the ISE Certificate Trust Store? So that I don't have any expired certs in my trust store. See attached image of the RA cert in ISE Trusted Certificates Store that I want gone:

 

ISE Trusted Certificates StoreISE Trusted Certificates Store

1 Accepted Solution

Accepted Solutions

Thanks for pointing it out. That doc was updated due to CSCvn85523 and an issue associated with CSCvn85484. The latter is addressed in ISE 2.2 Patch 15, 2.3 Patch 7, 2.4 Patch 9, and 2.6 Patch 1.

PS: I've reopened the doc bug and asked for doc correction.

View solution in original post

7 Replies 7

pavagupt
Cisco Employee
Cisco Employee

i believe you can’t remove old RA certificate alone as it is referenced by your old SCEP RA profile.
If your root certificates are same as older one, ideally it should get imported when you are adding new SCEP RA profile.
What you could do ?
Just to be cautious, please take a backup of the existing certificates .
Create a new SCEP RA profile which would add new root CA chain along with new RA certs.
Bind it to your on-boarding profiles. Try to on-board the devices and ensure endpoints are getting certificates using new SCEP RA profile and RA certificates itself.
Then you could try removing old SCEP RA profile which would clean up old RA certs.

Thank you for answering.

 

"

Then you could try removing old SCEP RA profile which would clean up old RA certs.

"

 

Would that not remove the whole cert chain and by that the rootCA also? The rootCA that has signed the intermediate that signed the RA cert is the same rootCA that has signed the intermediate that has signed the certs for Admin and EAP. Would that not risk the inter-node communication as well as EAP in ISE if the rootCA disappears in the trust store?

 

 

No, removing the SCEP RA profile does not delete certificates in ISE trusted certificates store.

Ok, the following is written in the admin guide, is that not correct? "When a SCEP RA Profile is removed, the associated CA chain is also removed from the Trusted Certificates Store."

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_011100.html

Thanks for pointing it out. That doc was updated due to CSCvn85523 and an issue associated with CSCvn85484. The latter is addressed in ISE 2.2 Patch 15, 2.3 Patch 7, 2.4 Patch 9, and 2.6 Patch 1.

PS: I've reopened the doc bug and asked for doc correction.

Ok thank you. I am running 2.3 patch 6 so what are the correct procedure in that case?

I would suggest to apply Patch 7, which released on 07-Aug-2019, first.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: