topic Re: System Certificates Backup/Restore in Network Access Control https://community.cisco.com/t5/network-access-control/system-certificates-backup-restore/m-p/3448865#M509005 <HTML><HEAD></HEAD><BODY><P>Yes they are.</P><P>You can only restore a config backup on a standalone node.&nbsp; Once restored, you'll have the appropriate system cert that matches the hostname.&nbsp; Let's say your old pan was ise01 and you had a system cert for that.&nbsp; If int he deployment you also had ise02, ise03 with their own system certs, and if you restored the backup onto one of them, then I think ISE is clever enough to apply the appropriate system cert to the standalone node.</P><P>However, when you register additional nodes back into the deployment then those standalone nodes will know nothing about the PAN.&nbsp; You'll have to prep each standalone with your PKI Trusted Certs and then the node's system certs prior to registering it with the PAN.&nbsp;&nbsp; You could cheat and use self-signed certs but that's not cool.</P></BODY></HTML> Fri, 15 Jun 2018 02:50:57 GMT Arne Bier 2018-06-15T02:50:57Z System Certificates Backup/Restore https://community.cisco.com/t5/network-access-control/system-certificates-backup-restore/m-p/3448864#M509004 <HTML><HEAD></HEAD><BODY><P>Are system certificates included in a configuration backup of ISE?&nbsp; If so, what happens during a restore?&nbsp; Are the existing system certificates on the target system deleted and replaced with the system certificates from the backup?</P></BODY></HTML> Thu, 14 Jun 2018 21:43:22 GMT https://community.cisco.com/t5/network-access-control/system-certificates-backup-restore/m-p/3448864#M509004 matthen 2018-06-14T21:43:22Z Re: System Certificates Backup/Restore https://community.cisco.com/t5/network-access-control/system-certificates-backup-restore/m-p/3448865#M509005 <HTML><HEAD></HEAD><BODY><P>Yes they are.</P><P>You can only restore a config backup on a standalone node.&nbsp; Once restored, you'll have the appropriate system cert that matches the hostname.&nbsp; Let's say your old pan was ise01 and you had a system cert for that.&nbsp; If int he deployment you also had ise02, ise03 with their own system certs, and if you restored the backup onto one of them, then I think ISE is clever enough to apply the appropriate system cert to the standalone node.</P><P>However, when you register additional nodes back into the deployment then those standalone nodes will know nothing about the PAN.&nbsp; You'll have to prep each standalone with your PKI Trusted Certs and then the node's system certs prior to registering it with the PAN.&nbsp;&nbsp; You could cheat and use self-signed certs but that's not cool.</P></BODY></HTML> Fri, 15 Jun 2018 02:50:57 GMT https://community.cisco.com/t5/network-access-control/system-certificates-backup-restore/m-p/3448865#M509005 Arne Bier 2018-06-15T02:50:57Z