cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
467
Views
15
Helpful
3
Replies
Highlighted
Beginner

When does new ISE System certificates take effect when old cert is still valid but close to expire date?

We have to renew System Certificates in a distributed environment that will expire in a few days using the same external CA. We are running 2.2 patch 7. We changed the OU (CN,OU,C,O,L,ST) field so that the subject is different than the current one and selected Multi Use (Admin, EAP Authentication, Portal) when generating the CSR for the renewal.

 

The following is what I need clarity on.

1. When to edit the PSNs Usage to EAP Authentication after the Bind was successfull?
2. What is the behavior when both the old but still valid cert is in the system and the new cert has been updated with EAP usage?
3. Will the new one take immediately over when it is updated with the Usage or will it only come into effect after the old one has expired?

4. Is there a way that you can force the ISE to use new certs before the old one expires without deleting or do you have to wait until the old cert expires and then see what the authentication behavior is?

 

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Rising star

Re: When does new ISE System certificates take effect when old cert is still valid but close to expire date?

1. When to edit the PSNs Usage to EAP Authentication after the Bind was successfull?
Since you selected multi-use (selected Multi Use (Admin, EAP Authentication, Portal) when generating the CSR for the renewal.) this is going to trigger a restart of services so plan accordingly. Maybe do a split brain approach (One PSN, Secondary PAN, the other PSN, etc.).
2. What is the behavior when both the old but still valid cert is in the system and the new cert has been updated with EAP usage?
You will only be able to bind one or the other. Once you bind the new cert it is not a big deal if the old (no longer in use) sits there. Better practice to remove it.
3. Will the new one take immediately over when it is updated with the Usage or will it only come into effect after the old one has expired?
It will take over immediately upon you triggering it.
4. Is there a way that you can force the ISE to use new certs before the old one expires without deleting or do you have to wait until the old cert expires and then see what the authentication behavior is?
You can manually force the binding of the new certificate.
I assume the certificate chain will not change since you said you are using the same external CA. I say this because if the chain changes this could cause issues if the intermediate cert is not trusted on workstations.
Good luck & HTH!
VIP Advocate

Re: When does new ISE System certificates take effect when old cert is still valid but close to expire date?

Renewing a cert that has Admin role will cause a restart.  And this is why I generally recommend to separate Admin from the rest, if there is the option of creating a long-lived Admin cert (say, 3 years) and if the EAP cert is not related to the Admin PKI.  If customers lump it all into one, then this is a moot point.  But it's quite disruptive to keep updating the Admin cert, and for very little reason.  Either the cert was issued by a public CA, and therefore they only create up to 3 year certs, or Security Team is paranoid (as usual).  I have seen 1 year certs for Admin role and those customers are entering a world of pain.

Admin cert:  SHA256, 4096 bits, 5 years+  - leave it alone.

 

Renewing other ISE certs doesn't require an application restart.  I'd still make the certs last as long as possible to avoid this operational overhead.  

3 REPLIES 3
Rising star

Re: When does new ISE System certificates take effect when old cert is still valid but close to expire date?

1. When to edit the PSNs Usage to EAP Authentication after the Bind was successfull?
Since you selected multi-use (selected Multi Use (Admin, EAP Authentication, Portal) when generating the CSR for the renewal.) this is going to trigger a restart of services so plan accordingly. Maybe do a split brain approach (One PSN, Secondary PAN, the other PSN, etc.).
2. What is the behavior when both the old but still valid cert is in the system and the new cert has been updated with EAP usage?
You will only be able to bind one or the other. Once you bind the new cert it is not a big deal if the old (no longer in use) sits there. Better practice to remove it.
3. Will the new one take immediately over when it is updated with the Usage or will it only come into effect after the old one has expired?
It will take over immediately upon you triggering it.
4. Is there a way that you can force the ISE to use new certs before the old one expires without deleting or do you have to wait until the old cert expires and then see what the authentication behavior is?
You can manually force the binding of the new certificate.
I assume the certificate chain will not change since you said you are using the same external CA. I say this because if the chain changes this could cause issues if the intermediate cert is not trusted on workstations.
Good luck & HTH!
VIP Advocate

Re: When does new ISE System certificates take effect when old cert is still valid but close to expire date?

Renewing a cert that has Admin role will cause a restart.  And this is why I generally recommend to separate Admin from the rest, if there is the option of creating a long-lived Admin cert (say, 3 years) and if the EAP cert is not related to the Admin PKI.  If customers lump it all into one, then this is a moot point.  But it's quite disruptive to keep updating the Admin cert, and for very little reason.  Either the cert was issued by a public CA, and therefore they only create up to 3 year certs, or Security Team is paranoid (as usual).  I have seen 1 year certs for Admin role and those customers are entering a world of pain.

Admin cert:  SHA256, 4096 bits, 5 years+  - leave it alone.

 

Renewing other ISE certs doesn't require an application restart.  I'd still make the certs last as long as possible to avoid this operational overhead.  

Beginner

Re: When does new ISE System certificates take effect when old cert is still valid but close to expire date?

Thank you very much for the feedback