Solved: Re: Renewing Cisco ISE certs (Go Daddy)

Scott.Martinsen · ‎08-16-2020

Hey All,

We have a Go Daddy cert that is expiring. My question is if I need to generate a new CSR or not? I went to Go Daddy and got the same cert we are using renewed for two more years. When I download from Go Daddy I get two .crt files. One being the .cert for the local store and the other the cert for the trusted store. The third file is a .pem file. So my first question is because this is the same cert renewed would I still need to import the Go Daddy root cert in the trusted store? When I try I get an extension error. If I try to just go to the local store and import the new .crt and .pem file I get an error about the password not being correct.

So I'm not sure if I need to import the Go Daddy root cert into the trusted store and uncheck the check for extensions tab? Or if I need to generate a new CSR and go to Go Daddy and re key the cert? In my mind because it's the same cert I shouldn't have to do that. Or am I missing something? That's very possible.

Thanks!

-Scott

Greg Gibbs · ‎08-18-2020

If the new identity cert was signed by the same Root CA chain that signed the expiring cert, then you would not need to update the certs in the Trusted Certificates store. The only way to know for sure is to open Root (as well as any Intermediate) cert that was provided by GoDaddy and compare the Serial Number to the ones already in the ISE Trusted Certificates store.

The identity certificate in the ISE System Certificates store would have the old expiry date. The 'extended' cert provided by GoDaddy will likely have a new Serial Number (you can check using the same method above). I suspect the .pem and .crt files are the same identity cert in different formats (.pem = PEM; .crt = DER).

I'm not sure what GoDaddy does to 'extend' the expiry. If the process uses the same CSR, you might be able to export the original cert with the private key and import the new cert with the same private key file (and password used to export). If that does not work, you will likely need to create a new CSR in ISE and rekey the cert with GoDaddy. If that's the case, be aware of the following caveat related to using the same Subject in the CSR:

https://community.cisco.com/t5/network-access-control/generating-csr-error-on-ise-for-system-certificate-used-for-eap/td-p/4066008

View solution in original post

Marvin Rhoads · ‎08-17-2020

Moving thread to Network Access Control forum (vs. Network Security).

Greg Gibbs · ‎08-18-2020

If the new identity cert was signed by the same Root CA chain that signed the expiring cert, then you would not need to update the certs in the Trusted Certificates store. The only way to know for sure is to open Root (as well as any Intermediate) cert that was provided by GoDaddy and compare the Serial Number to the ones already in the ISE Trusted Certificates store.

The identity certificate in the ISE System Certificates store would have the old expiry date. The 'extended' cert provided by GoDaddy will likely have a new Serial Number (you can check using the same method above). I suspect the .pem and .crt files are the same identity cert in different formats (.pem = PEM; .crt = DER).

I'm not sure what GoDaddy does to 'extend' the expiry. If the process uses the same CSR, you might be able to export the original cert with the private key and import the new cert with the same private key file (and password used to export). If that does not work, you will likely need to create a new CSR in ISE and rekey the cert with GoDaddy. If that's the case, be aware of the following caveat related to using the same Subject in the CSR:

https://community.cisco.com/t5/network-access-control/generating-csr-error-on-ise-for-system-certificate-used-for-eap/td-p/4066008