Generate CSRs.  Export CSRs.  Get CSRs signed by your CA. Bind signed certificates to the CSR within ISE.

Yep I understand that part but what I am asking is how do we replace/renew the actual CA cert from the certificate authority (aka the CA that does the signing) located in the trusted cert store in ISE when it comes to renew that one?

Ah gotcha.  Under Trusted Certificates, you just import the new CA public key and make sure its trusted for authentication of client devices (if going to be used for EAP).  Also be sure to adjust CRL or any OCSP configuration that might be tied to the old CA as well.

Ok thanks! Do we need to have the system certs re-signed by the new CA cert?

If you are changing CAs yes.  So your flow should be the following:

• Add new CA Public Keys as Trusted Certificates in ISE
• Generate and export new CSRs for your ISE nodes
• Get CSRs signed by your new CA
• Bind returned certificates to the matching CSRs in ISE.
• ISE Service Restart (depending on cert role).
• Once all nodes have certs from the new CA and all clients no longer are presenting certificates to ISE from the old CA, delete the old CA from the Trusted Certificates store in ISE.

Ok thank you!

So, what if the CA is not changing, but rather is the same CA as before but the cert is expiring so it needs to be renewed? Do we need to re-sign the system certs used for admin/eap with this cert? Or do we simply just import the new cert with new expiration dates and delete the old one? Or is the process the same as stated in the previous message?

Does this question make sense?

I recently updated the EAP certificate that was soon to expire by another one with the same CN and signed by the same CA that was already in the CA Trusted list. Depending on the version you are running, you can have 2 x EAP certs with the same CN so once you upload the new one and assign the service (EAP on my case, which it is removed from the soon to expire cert), the application services on the nodes are restarted as soon as the new cert is installed on each node of the deployment. Once the new cert is uploaded to all the Nodes, you can delete the soon to expire one.

By upload I meant, importing the updated EAP cert but you need the encryption key file and the secret key/password of that encryption key file (that's the way I always do this so I do not have to deal with CSR creation). 

Thanks for the reply....I understand what you did there. But, what I am asking is what is the process of replacing the CA that has signed your EAP/admin cert that is in the trusted store, if it is not changing. For example the EAP cert is signed by the internal CA that is in the trusted cert store. When that cert is about to expire can I just import a new cert from the same CA or do I need to import that new cert from the same CA and then re-generate CSRs for the EAP cert and have them signed by the same CA again?

I hope this makes sense.