Solved: Richard,

richard-matthews · ‎10-30-2015

Hi,

Apologies if this is posted in the wrong community.

We have a NAC manager and 2 CAS where the external CA SSL certificates are expiring on 1st November. These are certs based on the internal IP addresses of the applainces.

Due to a change in the CAB Forum, external CAs will no longer issues certs based on interally resolvable IPs or hostnames, so I need to replace these certs with ones based on their FQDN.

However, I only have the option to generate a CSR based on the exisiting cert, or to generate a new temporary certificate. Doing this will allow me to generate a cert based on the FQDN but I am unsure of the impact generating a new certificate will cause?

Has anyone done this before? If so, is it safe to do or will it cause issues within the appliances/with end users connecting?

Is this the only way to generate a new certificate?

Thanks in advance for any help or suggestions you can provide

Jagdeep Gambhir · ‎10-31-2015

Richard,

No need to remove old cert, generating new temp cert will not cause any issue.

This should answer your query.

http://www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/48/cam/48cam-book/m_admin.html#wp1076740

~JG

Do rate helpful posts

View solution in original post

Jagdeep Gambhir · ‎10-31-2015

Richard,

No need to remove old cert, generating new temp cert will not cause any issue.

This should answer your query.

http://www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/48/cam/48cam-book/m_admin.html#wp1076740

~JG

Do rate helpful posts

Replacing Cisco NAC SSL Certificate