Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4276
Views
15
Helpful
7
Replies

Trusted Certificates | Default self-signed server certificate

Go to solution
Xividar
Level 1
Level 1

‎04-07-2021 10:00 AM

Hi Guys,

How do we renew our ISE Trusted Default Self-Signed Cert?

 

Screenshot 2021-04-07 at 17.59.00.png

Thank you.

2 people had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-07-2021 10:17 AM

To re-gen self signed certs go to: Administration->System->Certificates->Certificate Management->System Certificates->'Generate Self Signed Certificate'

HTH!

View solution in original post

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to engineer467

‎04-03-2022 03:27 PM

The self-signed certificates should only be bound to services that are not actually in use in your environment (pxGrid, RADIUS DTLS, SAML, etc). I would only use the renew self signed certificate option for those certificates. The other option would be to generate new self-signed certs for these unused services upon expiry of the old ones.

Self-signed certificates should never be used for services like EAP. This is NOT recommended and would require re-enrollment of all EAP clients upon any change to the self-signed certificates.

Ideally, an Enterprise CA should sign the ISE and client EAP certificates. Failing that (or for clients that are not managed by your organisation), Public CA signed certificates should be used.

View solution in original post

7 Replies 7

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-07-2021 10:17 AM

To re-gen self signed certs go to: Administration->System->Certificates->Certificate Management->System Certificates->'Generate Self Signed Certificate'

HTH!

0 Helpful

Go to solution
Xividar
Level 1
Level 1
In response to Mike.Cifelli

‎04-07-2021 10:33 AM

Hi Mike,

Are you saying that once the default self-signed ISE Root Cert expires, we need to move services off of it? Is there no way to renew it?

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Xividar

‎04-07-2021 04:24 PM

The 'Default self-signed server certificate' in the Trusted Certificates store is simply a copy of the same cert in the System Certificates store. Depending on the version of ISE you are using, you should be able to edit the cert in the System Certificates store and use the Renew Self Signed Certificate option at the bottom to extend the expiration date. The changes should also be reflected in the Trusted Certificates store.

Screen Shot 2021-04-08 at 9.22.33 am.png

Go to solution
engineer467
Level 1
Level 1
In response to Greg Gibbs

‎04-02-2022 03:45 AM - edited ‎04-02-2022 10:23 PM

Dear Greg,

Other than extending the renewal period, what else needs to be done if we are using the self signed cert for PEAP (EAP with MSCHAPv2) authentication?

Please help.

Thank you.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to engineer467

‎04-03-2022 03:27 PM

The self-signed certificates should only be bound to services that are not actually in use in your environment (pxGrid, RADIUS DTLS, SAML, etc). I would only use the renew self signed certificate option for those certificates. The other option would be to generate new self-signed certs for these unused services upon expiry of the old ones.

Self-signed certificates should never be used for services like EAP. This is NOT recommended and would require re-enrollment of all EAP clients upon any change to the self-signed certificates.

Ideally, an Enterprise CA should sign the ISE and client EAP certificates. Failing that (or for clients that are not managed by your organisation), Public CA signed certificates should be used.

Go to solution
ryreyes
Level 1
Level 1
In response to Greg Gibbs

‎04-19-2022 10:59 PM

Hi Greg, 

Just a question regarding this renewal of the default self-signed certificate. I have 2 ISE in HA and I successfully do the renewal/extension of the default self signed certificate of the primary ISE, however when I do the renewal/extension on the secondary node after I save it and the services restarts the default self signed certificate of the secondary ISE was not renewed. Do I need to switchover the role first for the renewal of the secondary node certificate to take effect? I can't see any documentation regarding this so I appreciate any inputs. Thank you.

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎05-13-2021 01:38 PM

You should NEVER renew a self-signed certificate.

Use a public-CA signed certificate or enterprise CA.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents