Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1049
Views
0
Helpful
6
Replies

Renewing Self Signed Certificate on IPN Nodes 1.2

MANSOORQ123
Level 1
Level 1

‎05-08-2014 01:11 PM - edited ‎03-10-2019 09:42 PM

Dear Team

I have just upgraded the ISE infrastructure to 1.2, IPN nodes have also been upgraded, a default self signed certificate is generated, which is for a validity of 90 days.

on my ISE main units, i have self signed certificates with 2048 Modulas and SHA1-256 hash, validity = 12 years.

1:  I want to generate self signed certificate on IPN with the same specifications.

how it can be achieved, is it through "pep certificate server add" ?

IPN2/admin# pep certificate server add
Server Certificate change will result in application restart. Proceed? (y/n): y
Bind the certificate to private key made by last certificate signing request? (y/n):

but as such i am not generating any CSR, because we do not have any CA in our deployment.

Thanks

Ahad Samir

 

 

1 person had this problem
Labels:
0 Helpful
6 Replies 6

MANSOORQ123
Level 1
Level 1

‎05-11-2014 01:37 AM

Above requirement is necessary because we don't have an Enterprise CA in our Deployment. We have to rely on self Signed certificates.

Further Self Signed certificates should be valid for a long period so that no communication issue happens, 

0 Helpful

Saurav Lodh
Level 7
Level 7
In response to MANSOORQ123

‎05-13-2014 12:39 AM

Please read "Guidelines for Configuring Certificates for Inline Posture " from

http://www.cisco.com/c/en/us/td/docs/security/ise/1-1/user_guide/ise11_user_guide/ise_ipep_deploy.html

0 Helpful

mfalcao230
Level 1
Level 1
In response to Saurav Lodh

‎07-06-2015 09:14 AM

Hi Mansoor,

I have this same issue renewing self-signed certificate of IPN node, did you find the solution?

 

Thanks,

Mario Falcao

0 Helpful

MANSOORQ123
Level 1
Level 1
In response to mfalcao230

‎07-06-2015 11:43 PM

Hi Mario

unfortunately no solution was found, i could not contact TAC because of service contract issues.

 

 

0 Helpful

mfalcao230
Level 1
Level 1
In response to MANSOORQ123

‎07-07-2015 05:07 AM

Hi Mansoor,

I already opened a TAC case and there is no way to renew self-signed certificate for a period greater than 90 days and that's why Cisco recommends to use CA signed certificate.

 

So currently you are renewing the self-signed certificate of your IPN node every 90 days?

 

 

0 Helpful

MANSOORQ123
Level 1
Level 1
In response to MANSOORQ123

‎05-13-2014 02:20 AM

Really Amazed, that no one has faced this basic requirement, seems need to open TAC Case now.

0 Helpful
Customers Also Viewed These Support Documents