Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
3437
Views
20
Helpful
2
Comments

What happens with an ISE Admin certificate has expired

Arne Bier
VIP
VIP
‎08-09-2018 04:25 AM

Have you ever wondered what happens when an ISE admin certificate reaches its expiry date?  Probably not, because we don't ever want to consider this situation because it just sounds like bad news. 

We would normally heed the ISE certificate expiry warning in the Alarm viewer, and renew way in advance ... right? ;-)

 

But, what DOES happen when the ISE admin certificate has expired?  Let's say the system has been left running for a long time and nobody looks at the alarms?  It could very well happen to anyone.

 

Here is what you would see if you browse to the PAN using the FQDN 

FQDN expiry notice.png

 

This is displayed in the Firefox browser - and any other security conscious browser should act the same.  It refuses access to the ISE PAN.  Oh dang!  How do I get back in?

The Admin certificate has two SAN DNS entries, and an IP address (but I made an unintentional mistake with the IP)

DNS Name: ise01.net.local
DNS Name: ise01

IP: 92.168.21.100

 

It turns out that the browser will turn a blind eye to this dilemma if I use the IP address of the PAN node instead.  I will have to re-test to see what would have happened if I had entered the SAN IP address correctly.

 

IP address works.png

 

I was able to log back in again!  

 

ise alarm.PNG

 

I will have to create another cert with a valid SAN IP address and see whether that works too.  This is only a lab node and it's okay if I lose access forever.

Preview file
49 KB
2 Comments
Clem58
Level 3
Level 3
‎09-20-2021 08:28 AM
‎09-20-2021 08:28 AM

Hello thanks for this tip.

Does anyone tested this with production ISE ? Does it work ?

0 Helpful
Arne Bier
VIP
VIP
‎09-20-2021 02:00 PM
‎09-20-2021 02:00 PM

@Clem58 - I was working on a customer network the other day, where the Admin cert had expired, but I was still able to log into the node. I was surprised that this was allowed. ISE 2.4

I had to de-register two of the nodes in their deployment, and then register them back in. When I tried registering them back in, ISE informed me that the cert had expired and refused to register the standalone node back into the deployment (which it was happy about just 1 hour earlier!) - so I had to renew the self-signed cert and then it was happy again.

 

Browsers change over time and this is probably a moving landscape. And to make matters worse, each browser may handle things differently to others. I usually try with all possible browsers to see what might happen.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents