06-02-2024 09:17 PM
Hi,
I need help renewing a self-signed certificate on a customer's ise. They have a self-signed certificate that is used for admin and EAP authentication, and I've been seeing that there's a Renewal Period option for these types of certificates. My question is if I update this certificate with that option, will all clients who have that certificate also be updated? Or do I need to upgrade by GPO or one by one.
I was looking at changing that certificate to one signed by an external CA like DigiCert, but I'm not sure if this avoids the problem of propagating the certificate.
Solved! Go to Solution.
06-02-2024 11:30 PM
do I need to upgrade by GPO or one by one.
If the same CA and clients know about that root CA that should be ok, if you are using new CA then Client should trust that cert also. (so you need to push this certs to client to trust using GPO or any other method) - ISE do not push certs to clients as per i kn0w).
for EAP if the certificate server is new you need to push all the clients before you update on ISE so client can trust that cert.
Sure you can use Public Certs, so client do not need to have CA certs on client, since client know publics CA already know.
check this if you looking to public or own PKI :
If you have more PSN - you can do testing one PSN at a time binding the certs.
06-02-2024 11:30 PM
do I need to upgrade by GPO or one by one.
If the same CA and clients know about that root CA that should be ok, if you are using new CA then Client should trust that cert also. (so you need to push this certs to client to trust using GPO or any other method) - ISE do not push certs to clients as per i kn0w).
for EAP if the certificate server is new you need to push all the clients before you update on ISE so client can trust that cert.
Sure you can use Public Certs, so client do not need to have CA certs on client, since client know publics CA already know.
check this if you looking to public or own PKI :
If you have more PSN - you can do testing one PSN at a time binding the certs.
06-03-2024 12:01 AM
Renewing an ISE self-signed cert does very little to the cert - it changes only the valid from and valid to dates, and then the signature hash is regenerated. Serial number of the cert remains the same. End clients would not know the difference between old and new.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide