I have just upgraded the ISE infrastructure to 1.2, IPN nodes have also been upgraded, a default self signed certificate is generated, which is for a validity of 90 days.
on my ISE main units, i have self signed certificates with 2048 Modulas and SHA1-256 hash, validity = 12 years.
1: I want to generate self signed certificate on IPN with the same specifications.
how it can be achieved, is it through "pep certificate server add" ?
IPN2/admin# pep certificate server add
Server Certificate change will result in application restart. Proceed? (y/n): y
Bind the certificate to private key made by last certificate signing request? (y/n):
but as such i am not generating any CSR, because we do not have any CA in our deployment.
Above requirement is necessary because we don't have an Enterprise CA in our Deployment. We have to rely on self Signed certificates.
Further Self Signed certificates should be valid for a long period so that no communication issue happens,
Please read "Guidelines for Configuring Certificates for Inline Posture " from
I already opened a TAC case and there is no way to renew self-signed certificate for a period greater than 90 days and that's why Cisco recommends to use CA signed certificate.
So currently you are renewing the self-signed certificate of your IPN node every 90 days?