topic ise certificate in Network Access Control

ise certificate

muhsi_2015 — Mon, 11 Mar 2019 07:24:52 GMT

Hi,
I was using an internal ca for certificates .Unfortunately it is crahed and cannot recoverable .
Using EAP and web authntication ( for guest portal)
Need to add the certificate from the new CA .
Do I need to break the cluster first ?
Or what is the procedure
if yes how

Thanks

No need to break the

Rahul Govindan — Tue, 31 Jan 2017 13:15:04 GMT

No need to break the deployment to add the new certificate. You can follow the steps below:

1) Generate CSR on all nodes and send to CA. IF you are using a wildcard, generate CSR on one node and send it to CA.

2) Obtain the issued cert and install it on all nodes. Do NOT replace the old cert yet.

3) Import the new CA certificate in the Trusted store on the primary node in deployment alone.

4) Change the system cert to new cert on all other nodes. This will force a restart of the services. Wait till they come back up successfully in the deployment.

5) Change the system cert of primary node. This will also cause restart of services. Once it comes back all nodes in your deployment should have new cert.

Hi,

muhsi_2015 — Tue, 31 Jan 2017 16:21:55 GMT

Hi,

Now the certificate hierarchy has changed

Root , subordinate CA ,then certificate

ROOT-CA
INTERNAL-CA
certificate

Before there was only rootca (microsoft ).

How to accomodate this change

Thanks

Install both Root and

Rahul Govindan — Tue, 31 Jan 2017 16:28:08 GMT

Install both Root and subordinate CA certs into the Trusted cert store. Nothing else should change.

Hi,

muhsi_2015 — Thu, 02 Feb 2017 11:20:41 GMT

Hi,

" 1) Generate CSR on all nodes and send to CA. IF you are using a wildcard, generate CSR on one node and send it to CA. "

I don't have the import or export option in secondary node for exporting or importing certificates . And No option for CSR in the secondary .

Second thing , the above step is same If I am changing from self signed certificate to internal CA

Thanks

Sorry, I should have been

Rahul Govindan — Thu, 02 Feb 2017 12:46:25 GMT

Sorry, I should have been more clear. The export and import functionality for all nodes is available only on the the primary node. Check the new primary admin wildcard cert and click Export. Click on import and select the secondary node to import to that node.

Same goes with CSR, you have to generate CSR for all nodes using the GUI of the primary node.