This document describes the best practices and proactive procedures to renew certificates on the Cisco
Identity Services Engine (ISE). It also reviews how to set up alarms and notifications so administrators are
warned of imminent events such as certificate expiration.
As an ISE administrator, you eventually encounter the fact that ISE certificates expire. If your ISE server
has an expired certificate, serious problems can arise unless you replace the expired certificate with a new,
valid certificate.
Note: If the certificate that is used for the Extensible Authentication Protocol (EAP) expires, all
authentications can fail because clients do not trust the ISE certificate anymore. If the ISE Admin
Certificate expires, the risk is even greater: an administrator is not able to log in to the ISE anymore,
and the distributed deployment can cease to function and replicate.
The ISE administrator must install a new, valid certificate on the ISE before the old certificate expires. This
proactive approach prevents or minimizes downtime and avoids an impact on your end-users. Once the time
period of the newly installed certificate begins, you can enable the EAP/Admin or any other role on the new
certificate.
You can configure the ISE so that it generates alarms and notifies the administrator to install new certificates
before the old certificates expire.
Note: This document uses ISE Admin certificate as a self-signed certificate in order to demonstrate
the impact of certificate renewal, but this approach is not recommended for a production system. It is
better to use a CA certificate for both the EAP and Admin roles.
Configure
View ISE Self-Signed Certificates
When the ISE is installed, it generates a self-signed certificate. The self-signed certificate is used for
administrative access and for communication within the distributed deployment (HTTPS) as well as for user
authentication (EAP). In a live system, use a CA certificate instead of a self-signed certificate.
Tip: Refer to the Certificate Management in Cisco ISE section of the Cisco Identity Services Engine
Hardware Installation Guide, Release 3.0 for additional information.
The format for an ISE certificate must be Privacy Enhanced Mail (PEM) or Distinguished Encoding Rules
(DER).
In order to view the initial self-signed certificate, navigate to Administration > System> Certificates>
System Certificates in the ISE GUI, as shown in this image.