Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
605
Views
0
Helpful
4
Replies

Renewing External Intermediate CA

kewhigha
Cisco Employee
Cisco Employee

‎11-30-2018 12:20 PM

I have a customer with a good generic ISE deployment question. 

 

This customer has an existing CA infrastructure that he has integrated with ISE. The Root CA expires after 30 years, and has signed an Issuer CA that lasts 10. This customer has all his endpoints already provisioned with certificates through the existing Issuer CA, and ISE authenticates these endpoints with EAP-TLS. 

 

9.5 Years pass, and customer is now planning on renewing his Issuing CA, and reissuing PKI across his environment. He generated a new issuing CA with the same subject, but now needs both the existing issuing CA alongside the new issuing CA while he migrates his endpoints with old certs to new certs. In ISE if you try to import two CAs with the same subject and different serial numbers, there's a warning that prompts you to delete the existing cert. 

 

This is bad because we're now stuck only supporting clients with new certs or old certs, but not both. The scale of the company is large enough that it's impossible to issue all endpoints a new certificate at the same time so we can make this change, so how can ISE accommodate a migration like this with the trust store limitation we have?

1 person had this problem
0 Helpful
4 Replies 4

pan
Cisco Employee
Cisco Employee

‎12-01-2018 12:50 AM

ISE can take two certificate with same subject name but there should be something unique.

0 Helpful

pan
Cisco Employee
Cisco Employee
In response to pan

‎12-01-2018 01:10 AM

 

cert.png

 

0 Helpful

Nadav
Level 7
Level 7
In response to pan

‎12-01-2018 06:29 AM - edited ‎12-01-2018 06:46 AM

If the same issuer is renewing the certificate, what would be unique? It's the same issuer to the same CN, and what's changed would be the serial number of the cert including the validation dates. The fact that the serial number and dates are different should have been enough.

 

Look at CUCM as an example where certificate renewal allows for a smooth migration. When you renew a certificate the old one is added as a trusted certificate and the new one is added as the active system certificate. I can have multiple CAPF certificates, with LSCs (endpoint phone certificates) signed by each of these CAPF's in a CUCM deployment whilst not hurting a single phone's authentication process or compromising security. 

 

Besides, you can only have one cert assigned for EAP per ISE node. As the Admin guide states:

"You can associate only one certificate from each node for each of these purposes".

 

Even if you changed the CN, when you apply the new cert as your EAP authentication cert that means you need to remove the old one from that purpose. This means all existing workstations with the old cert can't authenticate to your PSNs.

 

The moment you change your issuing CA's certificate, which is part of any PKI lifecycle, you are in fact stuck in a deadlock where you can't first update endpoint certificates because your PSN's EAP certificate was issued by an older Issuer cert, and you can't first update your PSN node's EAP certificate because it will be signed by a newer cert than the endpoint's. Either way the trust chain is broken and some batch of endpoints won't pass EAP-TLS.

 

This is a major issue. 

 

0 Helpful

pan
Cisco Employee
Cisco Employee
In response to Nadav

‎12-01-2018 07:13 AM

While generating a new intermediate I have kept every field same as of old intermediate cert, except different value in OU.

 

Yes this point is valid "You can associate only one certificate from each node for each of these purposes".

0 Helpful
Customers Also Viewed These Support Documents