https://community.cisco.com/t5/network-access-control/ise-nodes-with-expired-admin-certificate/m-p/4644683#M575935 <P>I have an ISE environment that we use for Tacacs, we are running version 2.6.&nbsp; &nbsp;The issue that I have is that for whatever reason, someone renewed the production TLS certificate on the primary admin node but didn't update the other nodes.&nbsp; &nbsp;So now when I go into the certificate store area and try to select any of the other two nodes [with expired 3rd party certificate] I get the error you see attached.</P><P>&nbsp;</P><P>&nbsp;</P><P>Can someone show me the article that would show someone how to renew certificates on a node that is giving this error?&nbsp; Thanks!&nbsp;&nbsp;</P> Wed, 06 Jul 2022 00:34:26 GMT rfountain72 2022-07-06T00:34:26Z https://community.cisco.com/t5/network-access-control/ise-nodes-with-expired-admin-certificate/m-p/4644683#M575935 <P>I have an ISE environment that we use for Tacacs, we are running version 2.6.&nbsp; &nbsp;The issue that I have is that for whatever reason, someone renewed the production TLS certificate on the primary admin node but didn't update the other nodes.&nbsp; &nbsp;So now when I go into the certificate store area and try to select any of the other two nodes [with expired 3rd party certificate] I get the error you see attached.</P><P>&nbsp;</P><P>&nbsp;</P><P>Can someone show me the article that would show someone how to renew certificates on a node that is giving this error?&nbsp; Thanks!&nbsp;&nbsp;</P> Wed, 06 Jul 2022 00:34:26 GMT https://community.cisco.com/t5/network-access-control/ise-nodes-with-expired-admin-certificate/m-p/4644683#M575935 rfountain72 2022-07-06T00:34:26Z https://community.cisco.com/t5/network-access-control/ise-nodes-with-expired-admin-certificate/m-p/4644687#M575937 <P>You should be able to HTTPS directly to the other nodes.&nbsp; On the admin GUI, you can perform certificate operations on the individual nodes.&nbsp;&nbsp;</P> <P>Also:&nbsp;<A href="https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2503911.html" target="_blank">https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2503911.html</A></P> Wed, 06 Jul 2022 00:45:59 GMT https://community.cisco.com/t5/network-access-control/ise-nodes-with-expired-admin-certificate/m-p/4644687#M575937 ahollifield 2022-07-06T00:45:59Z https://community.cisco.com/t5/network-access-control/ise-nodes-with-expired-admin-certificate/m-p/4644694#M575938 <P>Thank you, I'm a bit closer as I'm logged into that node directly but the only choice I have is to "export" certificates.&nbsp; I don't see where I can import the certificate that I exported from the primary PAN.&nbsp; &nbsp;I logged onto the other node as well and same thing, just "export".&nbsp; &nbsp; &nbsp;Does this need to be done via CLI?&nbsp; &nbsp;I'm logging in with the local admin account to make sure I have all rights.&nbsp;&nbsp;</P> Wed, 06 Jul 2022 01:00:35 GMT https://community.cisco.com/t5/network-access-control/ise-nodes-with-expired-admin-certificate/m-p/4644694#M575938 rfountain72 2022-07-06T01:00:35Z https://community.cisco.com/t5/network-access-control/ise-nodes-with-expired-admin-certificate/m-p/4644698#M575940 <P>Yeah I misunderstood the original question, for the secondary nodes I’ve always just rebuilt from scratch when I run into this at customer sites. See this thread:&nbsp;<A href="https://community.cisco.com/t5/network-access-control/ise-expired-certificate-on-de-auth-node/td-p/4442884" target="_blank">https://community.cisco.com/t5/network-access-control/ise-expired-certificate-on-de-auth-node/td-p/4442884</A></P> Wed, 06 Jul 2022 01:52:38 GMT https://community.cisco.com/t5/network-access-control/ise-nodes-with-expired-admin-certificate/m-p/4644698#M575940 ahollifield 2022-07-06T01:52:38Z https://community.cisco.com/t5/network-access-control/ise-nodes-with-expired-admin-certificate/m-p/4645438#M575992 <P>Or if it's possible to de-register the nodes ? Once they are in Standalone you can manage them directly. But if the de-registration doesn't work then a rebuild is needed</P> Wed, 06 Jul 2022 21:10:18 GMT https://community.cisco.com/t5/network-access-control/ise-nodes-with-expired-admin-certificate/m-p/4645438#M575992 Arne Bier 2022-07-06T21:10:18Z