Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1449
Views
15
Helpful
3
Replies

When does new ISE System certificates take effect when old cert is still valid but close to expire date?

Go to solution
franjean47
Level 1
Level 1

‎08-22-2019 12:12 AM

We have to renew System Certificates in a distributed environment that will expire in a few days using the same external CA. We are running 2.2 patch 7. We changed the OU (CN,OU,C,O,L,ST) field so that the subject is different than the current one and selected Multi Use (Admin, EAP Authentication, Portal) when generating the CSR for the renewal.

 

The following is what I need clarity on.

1. When to edit the PSNs Usage to EAP Authentication after the Bind was successfull?
2. What is the behavior when both the old but still valid cert is in the system and the new cert has been updated with EAP usage?
3. Will the new one take immediately over when it is updated with the Usage or will it only come into effect after the old one has expired?

4. Is there a way that you can force the ISE to use new certs before the old one expires without deleting or do you have to wait until the old cert expires and then see what the authentication behavior is?

 

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-22-2019 05:44 AM

1. When to edit the PSNs Usage to EAP Authentication after the Bind was successfull?
Since you selected multi-use (selected Multi Use (Admin, EAP Authentication, Portal) when generating the CSR for the renewal.) this is going to trigger a restart of services so plan accordingly. Maybe do a split brain approach (One PSN, Secondary PAN, the other PSN, etc.).
2. What is the behavior when both the old but still valid cert is in the system and the new cert has been updated with EAP usage?
You will only be able to bind one or the other. Once you bind the new cert it is not a big deal if the old (no longer in use) sits there. Better practice to remove it.
3. Will the new one take immediately over when it is updated with the Usage or will it only come into effect after the old one has expired?
It will take over immediately upon you triggering it.
4. Is there a way that you can force the ISE to use new certs before the old one expires without deleting or do you have to wait until the old cert expires and then see what the authentication behavior is?
You can manually force the binding of the new certificate.
I assume the certificate chain will not change since you said you are using the same external CA. I say this because if the chain changes this could cause issues if the intermediate cert is not trusted on workstations.
Good luck & HTH!

View solution in original post

Go to solution
Arne Bier
VIP
VIP
In response to Mike.Cifelli

‎08-25-2019 08:46 PM

Renewing a cert that has Admin role will cause a restart.  And this is why I generally recommend to separate Admin from the rest, if there is the option of creating a long-lived Admin cert (say, 3 years) and if the EAP cert is not related to the Admin PKI.  If customers lump it all into one, then this is a moot point.  But it's quite disruptive to keep updating the Admin cert, and for very little reason.  Either the cert was issued by a public CA, and therefore they only create up to 3 year certs, or Security Team is paranoid (as usual).  I have seen 1 year certs for Admin role and those customers are entering a world of pain.

Admin cert:  SHA256, 4096 bits, 5 years+  - leave it alone.

 

Renewing other ISE certs doesn't require an application restart.  I'd still make the certs last as long as possible to avoid this operational overhead.  

View solution in original post

Go to solution
franjean47
Level 1
Level 1
In response to Arne Bier

‎08-27-2019 12:40 AM

Thank you very much for the feedback

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-22-2019 05:44 AM

1. When to edit the PSNs Usage to EAP Authentication after the Bind was successfull?
Since you selected multi-use (selected Multi Use (Admin, EAP Authentication, Portal) when generating the CSR for the renewal.) this is going to trigger a restart of services so plan accordingly. Maybe do a split brain approach (One PSN, Secondary PAN, the other PSN, etc.).
2. What is the behavior when both the old but still valid cert is in the system and the new cert has been updated with EAP usage?
You will only be able to bind one or the other. Once you bind the new cert it is not a big deal if the old (no longer in use) sits there. Better practice to remove it.
3. Will the new one take immediately over when it is updated with the Usage or will it only come into effect after the old one has expired?
It will take over immediately upon you triggering it.
4. Is there a way that you can force the ISE to use new certs before the old one expires without deleting or do you have to wait until the old cert expires and then see what the authentication behavior is?
You can manually force the binding of the new certificate.
I assume the certificate chain will not change since you said you are using the same external CA. I say this because if the chain changes this could cause issues if the intermediate cert is not trusted on workstations.
Good luck & HTH!

Go to solution
Arne Bier
VIP
VIP
In response to Mike.Cifelli

‎08-25-2019 08:46 PM

Renewing a cert that has Admin role will cause a restart.  And this is why I generally recommend to separate Admin from the rest, if there is the option of creating a long-lived Admin cert (say, 3 years) and if the EAP cert is not related to the Admin PKI.  If customers lump it all into one, then this is a moot point.  But it's quite disruptive to keep updating the Admin cert, and for very little reason.  Either the cert was issued by a public CA, and therefore they only create up to 3 year certs, or Security Team is paranoid (as usual).  I have seen 1 year certs for Admin role and those customers are entering a world of pain.

Admin cert:  SHA256, 4096 bits, 5 years+  - leave it alone.

 

Renewing other ISE certs doesn't require an application restart.  I'd still make the certs last as long as possible to avoid this operational overhead.  

Go to solution
franjean47
Level 1
Level 1
In response to Arne Bier

‎08-27-2019 12:40 AM

Thank you very much for the feedback

0 Helpful
Customers Also Viewed These Support Documents