Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
593
Views
2
Helpful
2
Replies

Renew Self Signed Certificate on ISE

Go to solution
NaujEl
Level 1
Level 1

‎06-02-2024 09:17 PM

Hi,

I need help renewing a self-signed certificate on a customer's ise. They have a self-signed certificate that is used for admin and EAP authentication, and I've been seeing that there's a Renewal Period option for these types of certificates. My question is if I update this certificate with that option, will all clients who have that certificate also be updated? Or do I need to upgrade by GPO or one by one.

I was looking at changing that certificate to one signed by an external CA like DigiCert, but I'm not sure if this avoids the problem of propagating the certificate.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-02-2024 11:30 PM 

do I need to upgrade by GPO or one by one.

If the same CA and clients know about that root CA that should be ok, if you are using new CA then Client should trust that cert also. (so you need to push this certs to client to trust using GPO or any other method) - ISE do not push certs to clients as per i kn0w).

for EAP if the certificate server is new you need to push all the clients before you update on ISE so client can trust that cert.

Sure you can use Public Certs, so client do not need to have CA certs on client, since client know publics CA already know.

check this if you looking to public or own PKI :

https://community.cisco.com/t5/security-knowledge-base/using-let-s-encrypt-certificates-with-cisco-ise/ta-p/5090885

If you have more PSN - you can do testing one PSN at a time binding the certs.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

2 Replies 2

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-02-2024 11:30 PM 

do I need to upgrade by GPO or one by one.

If the same CA and clients know about that root CA that should be ok, if you are using new CA then Client should trust that cert also. (so you need to push this certs to client to trust using GPO or any other method) - ISE do not push certs to clients as per i kn0w).

for EAP if the certificate server is new you need to push all the clients before you update on ISE so client can trust that cert.

Sure you can use Public Certs, so client do not need to have CA certs on client, since client know publics CA already know.

check this if you looking to public or own PKI :

https://community.cisco.com/t5/security-knowledge-base/using-let-s-encrypt-certificates-with-cisco-ise/ta-p/5090885

If you have more PSN - you can do testing one PSN at a time binding the certs.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Arne Bier
VIP
VIP

‎06-03-2024 12:01 AM

Renewing an ISE self-signed cert does very little to the cert - it changes only the valid from and valid to dates, and then the signature hash is regenerated. Serial number of the cert remains the same.  End clients would not know the difference between old and new.

Customers Also Viewed These Support Documents