03-23-2020 07:57 AM
Hi!
The RA certificate has been renewed in Active Directory due to it soon to be expired. Now I have to adjust the SCEP RA Profile in ISE, and I have some questions.
I am going to follow this guide: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200543-Renew-SCEP-RA-certificate-on-Windows-Ser.html
And if I understand correctly, I will have to create a new SCEP RA profile to download the new certificates to the ISE trust Certificate Store, and re-bind my certificate template to the new SCEP RA profile.
My question is, what am I suppose to do with the old SCEP RA profile? Just leave it be? I found that if I remove it, ISE will per auto clean up the Certificate Trust store for the whole cert chain used in the SCEP RA profile: "When a SCEP RA Profile is removed, the associated CA chain is also removed from the Trusted Certificates Store.". That would remove the RootCA used for all my EAP and Admin certs, so I do not want to do that. But I don't want to have expired certs in ISE trust store also (the RA certificates).
If I leave the old SCEP RA profile be, can I safely remove the old RA Certificates in the ISE Certificate Trust Store? So that I don't have any expired certs in my trust store. See attached image of the RA cert in ISE Trusted Certificates Store that I want gone:
Solved! Go to Solution.
03-26-2020 05:04 PM - edited 03-28-2020 06:03 PM
Thanks for pointing it out. That doc was updated due to CSCvn85523 and an issue associated with CSCvn85484. The latter is addressed in ISE 2.2 Patch 15, 2.3 Patch 7, 2.4 Patch 9, and 2.6 Patch 1.
PS: I've reopened the doc bug and asked for doc correction.
03-24-2020 09:03 AM
i believe you can’t remove old RA certificate alone as it is referenced by your old SCEP RA profile.
If your root certificates are same as older one, ideally it should get imported when you are adding new SCEP RA profile.
What you could do ?
Just to be cautious, please take a backup of the existing certificates .
Create a new SCEP RA profile which would add new root CA chain along with new RA certs.
Bind it to your on-boarding profiles. Try to on-board the devices and ensure endpoints are getting certificates using new SCEP RA profile and RA certificates itself.
Then you could try removing old SCEP RA profile which would clean up old RA certs.
03-25-2020 02:23 AM
Thank you for answering.
"
Then you could try removing old SCEP RA profile which would clean up old RA certs.
"
Would that not remove the whole cert chain and by that the rootCA also? The rootCA that has signed the intermediate that signed the RA cert is the same rootCA that has signed the intermediate that has signed the certs for Admin and EAP. Would that not risk the inter-node communication as well as EAP in ISE if the rootCA disappears in the trust store?
03-25-2020 05:37 PM
No, removing the SCEP RA profile does not delete certificates in ISE trusted certificates store.
03-26-2020 01:22 AM
Ok, the following is written in the admin guide, is that not correct? "When a SCEP RA Profile is removed, the associated CA chain is also removed from the Trusted Certificates Store."
03-26-2020 05:04 PM - edited 03-28-2020 06:03 PM
Thanks for pointing it out. That doc was updated due to CSCvn85523 and an issue associated with CSCvn85484. The latter is addressed in ISE 2.2 Patch 15, 2.3 Patch 7, 2.4 Patch 9, and 2.6 Patch 1.
PS: I've reopened the doc bug and asked for doc correction.
03-29-2020 11:23 PM
Ok thank you. I am running 2.3 patch 6 so what are the correct procedure in that case?
03-30-2020 11:28 AM
I would suggest to apply Patch 7, which released on 07-Aug-2019, first.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide