Solved: Renew System Certificate in ISE and end-point

Arie -- · ‎07-29-2018

Hi,

My customer has ISE 2.1 and the system certificate which used for EAP will be expired. The certificate is signed CA. Then, the end-point certificate also will be expired, as same as ISE system certificate.

Actually, I'm not familiar with end-point certificate. I just know that the end-point certificate will be pushed by AD server when it will be expired or have been expired.

I read the ISE guideline that I should renew the signed certificate before the old one expired. When the new signed certificate installed in ISE, it will inactive because the old one still active until it's expired. When the old one is expired, the new one will be active automatically. Is it correct?

Then, I have 2 questions:

1. If the AD server push to renew certificate before ISE use new certificate, how to deal it?

2. If the old certificate in ISE already expired and inactive, ISE uses new certificate and then there is user who haven't renew the end-point certificate but he/she want's to connect to wireless network (which is use X.509) so that the end-point can get new certificate from AD server, is it possible?

Thank you

hslai · ‎07-29-2018

...
I read the ISE guideline that I should renew the signed certificate before the old one expired. When the new signed certificate installed in ISE, it will inactive because the old one still active until it's expired. When the old one is expired, the new one will be active automatically. Is it correct?
...

First of all, due to the fix for CSCus84706, either the new certificate replaces the existing ISE system certificate used for EAP or it needs created with a slightly different subject (e.g. by adding field O or OU). If using a different subject name, then both certificates can co-exist as ISE system certificates but only one of them used for EAP. When the existing certificate expires, we have to manually switch over to the newer one.

1. If the AD server push to renew certificate before ISE use new certificate, how to deal it?

ISE should be trusting the root CA certificate so, as long as the root CA certificate still valid, this is not an issue.

2. If the old certificate in ISE already expired and inactive, ISE uses new certificate and then there is user who haven't renew the end-point certificate but he/she want's to connect to wireless network (which is use X.509) so that the end-point can get new certificate from AD server, is it possible?

The endpoint clients should also be trusting the root CA certificate so not an issue at all as long as using the same CA chain.

View solution in original post

hslai · ‎07-29-2018

...
I read the ISE guideline that I should renew the signed certificate before the old one expired. When the new signed certificate installed in ISE, it will inactive because the old one still active until it's expired. When the old one is expired, the new one will be active automatically. Is it correct?
...

First of all, due to the fix for CSCus84706, either the new certificate replaces the existing ISE system certificate used for EAP or it needs created with a slightly different subject (e.g. by adding field O or OU). If using a different subject name, then both certificates can co-exist as ISE system certificates but only one of them used for EAP. When the existing certificate expires, we have to manually switch over to the newer one.

1. If the AD server push to renew certificate before ISE use new certificate, how to deal it?

ISE should be trusting the root CA certificate so, as long as the root CA certificate still valid, this is not an issue.

2. If the old certificate in ISE already expired and inactive, ISE uses new certificate and then there is user who haven't renew the end-point certificate but he/she want's to connect to wireless network (which is use X.509) so that the end-point can get new certificate from AD server, is it possible?

The endpoint clients should also be trusting the root CA certificate so not an issue at all as long as using the same CA chain.

Arie -- · ‎07-29-2018

Hi,

Thank you for the answers.

I'm interesting with the root CA. What should I do if the root CA will be expired?

If the root CA is expired, then does it need to renew on Cisco ISE and end-point?

Thank you

hslai · ‎07-29-2018

Yes, because all the certificates from this root CA will also expire. When the root CA expiring, it needs replaced with a new root CA, in turn with any new intermediate CA, and then re-issuing certificates for all endpoints.

Independent of the CA chain(s) used by ISE server certificates, ISE may trust a number of different certificate chains as long as the root CA certificates imported into ISE trusted certificates store and marked for their trust purposes. If the peers sending the full certificate chains of their identity certificates to ISE, that would be it. If the peers send only the end-entity certificates, then the intermediate CA certificates also needed in ISE trusted certificate store.

Please note that if a new certificate has the same subject and the same key pair as the existing certificate, ISE is allowing only one of them, since ISE 1.3. CSCvj31598 is an enhancement request on this issue.

Arie -- · ‎08-05-2018

Hi,
Does it mean I'm unable to create new certificate with same subject on ISE? Or does it mean that only one certificate that can be used if I have new certificate with same subject?
Thank you

hslai · ‎08-05-2018

The latter. Please keep in mind that the subject is comprised of other fields than the common name so it's possible to have the same common name but different O or OU, for example.

Ping Zhou · ‎07-29-2018

To your question 2... If you do EAP-TLS, you need to find a way to ensure endpoint gets its certificate, such as isolated provision /SSID VLAN, helpdesk, connecting endpoint to wired Ethernet if there is no 802.1x on your wired side, etc.