Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Renewing Self Signed Certificate on IPN Nodes 1.2

Dear Team

I have just upgraded the ISE infrastructure to 1.2, IPN nodes have also been upgraded, a default self signed certificate is generated, which is for a validity of 90 days.

on my ISE main units, i have self signed certificates with 2048 Modulas and SHA1-256 hash, validity = 12 years.

1:  I want to generate self signed certificate on IPN with the same specifications.

how it can be achieved, is it through "pep certificate server add" ?

IPN2/admin# pep certificate server add
Server Certificate change will result in application restart. Proceed? (y/n): y
Bind the certificate to private key made by last certificate signing request? (y/n):

but as such i am not generating any CSR, because we do not have any CA in our deployment.

Thanks

Ahad Samir

 

 

  • AAA Identity and NAC
6 REPLIES
New Member

Above requirement is

Above requirement is necessary because we don't have an Enterprise CA in our Deployment. We have to rely on self Signed certificates.

Further Self Signed certificates should be valid for a long period so that no communication issue happens, 

Please read "Guidelines for

Please read "Guidelines for Configuring Certificates for Inline Posture " from

http://www.cisco.com/c/en/us/td/docs/security/ise/1-1/user_guide/ise11_user_guide/ise_ipep_deploy.html

New Member

Hi Mansoor,I have this same

Hi Mansoor,

I have this same issue renewing self-signed certificate of IPN node, did you find the solution?

 

Thanks,

Mario Falcao

New Member

Hi Mariounfortunately no

Hi Mario

unfortunately no solution was found, i could not contact TAC because of service contract issues.

 

 

New Member

Hi Mansoor,I already opened a

Hi Mansoor,

I already opened a TAC case and there is no way to renew self-signed certificate for a period greater than 90 days and that's why Cisco recommends to use CA signed certificate.

 

So currently you are renewing the self-signed certificate of your IPN node every 90 days?

 

 

New Member

Really Amazed, that no one

Really Amazed, that no one has faced this basic requirement, seems need to open TAC Case now.

123
Views
0
Helpful
6
Replies
This widget could not be displayed.