07-29-2018 03:13 AM - edited 03-11-2019 01:47 AM
Hi,
My customer has ISE 2.1 and the system certificate which used for EAP will be expired. The certificate is signed CA. Then, the end-point certificate also will be expired, as same as ISE system certificate.
Actually, I'm not familiar with end-point certificate. I just know that the end-point certificate will be pushed by AD server when it will be expired or have been expired.
I read the ISE guideline that I should renew the signed certificate before the old one expired. When the new signed certificate installed in ISE, it will inactive because the old one still active until it's expired. When the old one is expired, the new one will be active automatically. Is it correct?
Then, I have 2 questions:
1. If the AD server push to renew certificate before ISE use new certificate, how to deal it?
2. If the old certificate in ISE already expired and inactive, ISE uses new certificate and then there is user who haven't renew the end-point certificate but he/she want's to connect to wireless network (which is use X.509) so that the end-point can get new certificate from AD server, is it possible?
Thank you
Solved! Go to Solution.
07-29-2018 08:01 AM - edited 07-29-2018 08:13 AM
...I read the ISE guideline that I should renew the signed certificate before the old one expired. When the new signed certificate installed in ISE, it will inactive because the old one still active until it's expired. When the old one is expired, the new one will be active automatically. Is it correct?
...
First of all, due to the fix for CSCus84706, either the new certificate replaces the existing ISE system certificate used for EAP or it needs created with a slightly different subject (e.g. by adding field O or OU). If using a different subject name, then both certificates can co-exist as ISE system certificates but only one of them used for EAP. When the existing certificate expires, we have to manually switch over to the newer one.
1. If the AD server push to renew certificate before ISE use new certificate, how to deal it?
ISE should be trusting the root CA certificate so, as long as the root CA certificate still valid, this is not an issue.
2. If the old certificate in ISE already expired and inactive, ISE uses new certificate and then there is user who haven't renew the end-point certificate but he/she want's to connect to wireless network (which is use X.509) so that the end-point can get new certificate from AD server, is it possible?
The endpoint clients should also be trusting the root CA certificate so not an issue at all as long as using the same CA chain.
07-29-2018 08:01 AM - edited 07-29-2018 08:13 AM
...I read the ISE guideline that I should renew the signed certificate before the old one expired. When the new signed certificate installed in ISE, it will inactive because the old one still active until it's expired. When the old one is expired, the new one will be active automatically. Is it correct?
...
First of all, due to the fix for CSCus84706, either the new certificate replaces the existing ISE system certificate used for EAP or it needs created with a slightly different subject (e.g. by adding field O or OU). If using a different subject name, then both certificates can co-exist as ISE system certificates but only one of them used for EAP. When the existing certificate expires, we have to manually switch over to the newer one.
1. If the AD server push to renew certificate before ISE use new certificate, how to deal it?
ISE should be trusting the root CA certificate so, as long as the root CA certificate still valid, this is not an issue.
2. If the old certificate in ISE already expired and inactive, ISE uses new certificate and then there is user who haven't renew the end-point certificate but he/she want's to connect to wireless network (which is use X.509) so that the end-point can get new certificate from AD server, is it possible?
The endpoint clients should also be trusting the root CA certificate so not an issue at all as long as using the same CA chain.
07-29-2018 08:19 PM
Hi,
Thank you for the answers.
I'm interesting with the root CA. What should I do if the root CA will be expired?
If the root CA is expired, then does it need to renew on Cisco ISE and end-point?
Thank you
07-29-2018 10:06 PM
Yes, because all the certificates from this root CA will also expire. When the root CA expiring, it needs replaced with a new root CA, in turn with any new intermediate CA, and then re-issuing certificates for all endpoints.
Independent of the CA chain(s) used by ISE server certificates, ISE may trust a number of different certificate chains as long as the root CA certificates imported into ISE trusted certificates store and marked for their trust purposes. If the peers sending the full certificate chains of their identity certificates to ISE, that would be it. If the peers send only the end-entity certificates, then the intermediate CA certificates also needed in ISE trusted certificate store.
Please note that if a new certificate has the same subject and the same key pair as the existing certificate, ISE is allowing only one of them, since ISE 1.3. CSCvj31598 is an enhancement request on this issue.
08-05-2018 01:06 AM
08-05-2018 01:59 PM
The latter. Please keep in mind that the subject is comprised of other fields than the common name so it's possible to have the same common name but different O or OU, for example.
07-29-2018 08:17 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide