Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
914
Views
0
Helpful
3
Replies

Validity of self-signed certificate

Go to solution
umahar
Cisco Employee
Cisco Employee

‎09-07-2017 04:18 PM

We have a customer how wants to use self-signed certificate for pxGrid integration.

The self signed certificate is valid for only 1 year.

Is there a way we can re-issue self signed certificate to increase the validity of the certificate ?

Also is self-signed certificate recommended for pxGrid deployement ?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎09-07-2017 05:31 PM

I assume you mean "extend" its validity.   If reissue cert, then other hosts that rely on that cert will need to re-import that cert.  For this and other reasons, it is better to sign cert with ISE or other trusted CA such that certs that are reissued can be auto-trusted based on the trust of the signing CA/cert chain.  You can also revoke individual certs without breaking trust amongst other hosts.

Craig

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Craig Hyps
Level 10
Level 10

‎09-07-2017 05:31 PM

I assume you mean "extend" its validity.   If reissue cert, then other hosts that rely on that cert will need to re-import that cert.  For this and other reasons, it is better to sign cert with ISE or other trusted CA such that certs that are reissued can be auto-trusted based on the trust of the signing CA/cert chain.  You can also revoke individual certs without breaking trust amongst other hosts.

Craig

0 Helpful

Go to solution
umahar
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎09-07-2017 06:01 PM

Hi Craig,

Yes I meant extend the validity if its possible. I think the customer has some constraints in getting a pxGrid template with server and client EKUs using their CA.

When you say use sign cert with ISE are you proposing we follow this guide Using ISE 2.2 Internal Certificate Authority (CA) to Deploy Certificates to Cisco Platform Exchange Grid (pxGrid) Client…

?

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to umahar

‎09-07-2017 07:05 PM

I am proposing the issuance of certs signed by *some* trusted CA.  That could be ISE CA or external CA.  Not sure why your customer's CA cannot issue certs with key usage to support client and server authentication.  They may be relying on a default template that assumes client-only auth.  Need to use a different template.

Craig

0 Helpful
Customers Also Viewed These Support Documents