08-22-2019 12:12 AM
We have to renew System Certificates in a distributed environment that will expire in a few days using the same external CA. We are running 2.2 patch 7. We changed the OU (CN,OU,C,O,L,ST) field so that the subject is different than the current one and selected Multi Use (Admin, EAP Authentication, Portal) when generating the CSR for the renewal.
The following is what I need clarity on.
1. When to edit the PSNs Usage to EAP Authentication after the Bind was successfull?
2. What is the behavior when both the old but still valid cert is in the system and the new cert has been updated with EAP usage?
3. Will the new one take immediately over when it is updated with the Usage or will it only come into effect after the old one has expired?
4. Is there a way that you can force the ISE to use new certs before the old one expires without deleting or do you have to wait until the old cert expires and then see what the authentication behavior is?
Solved! Go to Solution.
08-22-2019 05:44 AM
08-25-2019 08:46 PM
Renewing a cert that has Admin role will cause a restart. And this is why I generally recommend to separate Admin from the rest, if there is the option of creating a long-lived Admin cert (say, 3 years) and if the EAP cert is not related to the Admin PKI. If customers lump it all into one, then this is a moot point. But it's quite disruptive to keep updating the Admin cert, and for very little reason. Either the cert was issued by a public CA, and therefore they only create up to 3 year certs, or Security Team is paranoid (as usual). I have seen 1 year certs for Admin role and those customers are entering a world of pain.
Admin cert: SHA256, 4096 bits, 5 years+ - leave it alone.
Renewing other ISE certs doesn't require an application restart. I'd still make the certs last as long as possible to avoid this operational overhead.
08-27-2019 12:40 AM
Thank you very much for the feedback
08-22-2019 05:44 AM
08-25-2019 08:46 PM
Renewing a cert that has Admin role will cause a restart. And this is why I generally recommend to separate Admin from the rest, if there is the option of creating a long-lived Admin cert (say, 3 years) and if the EAP cert is not related to the Admin PKI. If customers lump it all into one, then this is a moot point. But it's quite disruptive to keep updating the Admin cert, and for very little reason. Either the cert was issued by a public CA, and therefore they only create up to 3 year certs, or Security Team is paranoid (as usual). I have seen 1 year certs for Admin role and those customers are entering a world of pain.
Admin cert: SHA256, 4096 bits, 5 years+ - leave it alone.
Renewing other ISE certs doesn't require an application restart. I'd still make the certs last as long as possible to avoid this operational overhead.
08-27-2019 12:40 AM
Thank you very much for the feedback
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide