topic Re: ISE Certificate import/export in Network Access Control

ISE Certificate import/export

wileong — Tue, 30 Apr 2019 07:55:51 GMT

What is the best way to import/export all certificate including ISE signed certificate to another ISE cluster?

Backup/Restore does not includes ISE signed identity certificate.

Thanks

Wing Churn

Re: ISE Certificate import/export

Jason Kunst — Tue, 30 Apr 2019 10:35:17 GMT

You shouldn’t be using self-signed as there is likely no way to get them off. You should generate certificates that are known to the endpoints. Either from an internal CA or well known root. This way you have them and can apply them to another system

Re: ISE Certificate import/export

Arne Bier — Thu, 02 May 2019 11:27:42 GMT

Hey @wileong - are you referring to the client certs that the internal ISE CA has generated? if so then you are correct, these are not contained in the config backup - you need to export those via the CLI

see option 7 below (export Internal CA Store)

ise01/admin# application configure ise

Selection configuration option
[1]Reset M&T Session Database
[2]Rebuild M&T Unusable Indexes
[3]Purge M&T Operational Data
[4]Reset M&T Database
[5]Refresh Database Statistics
[6]Display Profiler Statistics
[7]Export Internal CA Store
[8]Import Internal CA Store
[9]Create Missing Config Indexes
[10]Create Missing M&T Indexes
[11]Enable/Disable ACS Migration
[12]Generate Daily KPM Stats
[13]Generate KPM Stats for last 8 Weeks
[14]Enable/Disable Counter Attribute Collection
[15]View Admin Users
[16]Get all Endpoints
[17]Enable/Disable Wifi Setup
[18]Reset Config Wifi Setup
[19]Establish Trust with controller
[20]Reset Context Visibility
[21]Synchronize Context Visibility With Database
[22]Generate Heap Dump
[23]Generate Thread Dump
[24]Force Backup Cancellation
[0]Exit

If on the other hand, you are referring to the ISE System Certificates (Admin/EAP/Portal/DTLS etc) then @Jason Kunst is spot on - those you should not export - it's bad practice. Rather have system cert created for your ISE nodes via a PKI (public or internal). You can of course export them but it's not recommended, unless the cert is a wildcard cert, or a cert that has a SAN that allows the cert to be re-used elsewhere. But again, in the case of self-signed certs, this should be avoided.

Re: ISE Certificate import/export

Jason Kunst — Thu, 02 May 2019 14:13:09 GMT

Some links with more info
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0111.html

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/upgrade_guide/b_ise_upgrade_guide_24/b_ise_upgrade_guide_24_chapter_00.html

Re: ISE Certificate import/export

wileong — Fri, 03 May 2019 06:38:45 GMT

Sorry for not being clear, I was referring to endpoint certificate generated using internal ISE CA.

Re: ISE Certificate import/export

wileong — Fri, 03 May 2019 06:39:07 GMT

Thanks for the info.

Re: ISE Certificate import/export

howon — Sat, 04 May 2019 02:00:15 GMT

Endpoint cert should be part of config backup. But, even if it is not present on the new deployment, as part of PKI trust you can authenticate endpoints as long as your new ISE deployment trusts old CA for EAP. Only feature you will lose will be ability to revoke certificates.