Solved: Self-signed Root certificates

fazmeister4 · ‎12-10-2019

My self signed Root certificates have expired in the Trusted certificates section. They are not being used by any services yet I'd like to renew them. Unlike the System certs there is no option to renew them. Anyone assist ?

Arne Bier · ‎12-11-2019

You should not put self signed certs in the Trusted Store. The Trust Store is for CA certs. Yes - self-signed certs are Root certs and therefore a CA :-) But - you said you don't use ISE self-signed certs. So why do you want to keep these hanging around?

So to answer your question - an ISE Self-Signed cert originates from the System Certs section. go there and click on the Generate Self-Signed cert to create new ones. Then delete the old one(s).

View solution in original post

Arne Bier · ‎12-11-2019

You should not put self signed certs in the Trusted Store. The Trust Store is for CA certs. Yes - self-signed certs are Root certs and therefore a CA :-) But - you said you don't use ISE self-signed certs. So why do you want to keep these hanging around?

So to answer your question - an ISE Self-Signed cert originates from the System Certs section. go there and click on the Generate Self-Signed cert to create new ones. Then delete the old one(s).

Jason Kunst · ‎12-12-2019

@Arne Bier wrote:

You should not put self signed certs in the Trusted Store. The Trust Store is for CA certs. Yes - self-signed certs are Root certs and therefore a CA :-) But - you said you don't use ISE self-signed certs. So why do you want to keep these hanging around?

So to answer your question - an ISE Self-Signed cert originates from the System Certs section. go there and click on the Generate Self-Signed cert to create new ones. Then delete the old one(s).

agree, also check out https://community.cisco.com/t5/security-documents/how-to-implement-digital-certificates-in-ise/ta-p/3630897

fazmeister4 · ‎12-17-2019

Thanks, I've removed them now