topic ISE 2 node deployment - admin certificate not trusted in Network Access Control

ISE 2 node deployment - admin certificate not trusted

dusansim — Wed, 22 Oct 2025 10:02:30 GMT

Hello.

I have a two node ISE setup, running version 3.0.0.458. Both nodes have administration, monitoring and policy service personas. There are 2 certificates used:

- self signed for Admin, Portal

- internal CA issued certificate for RADIUS DTLS, EAP Authentication

The secondary node self signed certificate was expiring, I generated new self signed certificate and lost admin control over the node. The nodes are still connected, however I am not able to manage it via the primary node GUI and the only thing I can do on the secondary node is to promote it to the Standalone node.

What is the correct approach to fix the situation? I was thinking of changing role of the secondary node to standalone to get admin access, deregister secondary node from the primary GUI, then register it again to trust its new self signed certificate.

Re: ISE 2 node deployment - admin certificate not trusted

ahollifield — Wed, 22 Oct 2025 17:06:57 GMT

Why are you using self-signed certificates? Also why a two node deployment, and not three?

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/identity-service-engine-software-3-0.html

Re: ISE 2 node deployment - admin certificate not trusted

Arne Bier — Wed, 22 Oct 2025 23:30:06 GMT

Hi @dusansim

Probably de-register and re-register is the way to go.

In future, instead of regenerating an ISE self-signed cert, you should rather edit them and extend the lifespan. example below. This is possible because the cert simply gets it's valid from and valid to dates updated.

As for using self-signed for Admin - I agree with @ahollifield - it's ugly because of the browser warnings - at least use your company PKI to create those.

I can also see from some organisation's point of view, that updating the ISE admin cert is a PAIN. Some organisations have a 1 year policy, and that causes a lot of work and disruption - take a large deployment and then you can spend some hours just with this task. Using a public CA is also not the solution, because of cost, and the fact that those cert lifetimes are 1 year, and will decrease steadily over the coming years.

Thus: Having self-signed certs for a very long time is an approach I have seen customers take, when they can't afford the downtime. Seems reasonable to me.

Re: ISE 2 node deployment - admin certificate not trusted

dusansim — Fri, 24 Oct 2025 11:21:18 GMT

These are good questions and should be answered by the person who designed and implemented the solution. Thank you for pointing out the EOS date.

Re: ISE 2 node deployment - admin certificate not trusted

dusansim — Fri, 24 Oct 2025 11:25:34 GMT

Hi Arne.

Thank you for the tip on prolonging the expiration TTL. Is it OK to use the same local CA signed certificate for all purposes, or should I sign one for Admin purpose and the other one for the rest?

Re: ISE 2 node deployment - admin certificate not trusted

Arne Bier — Sun, 26 Oct 2025 20:21:11 GMT

In your case, I would use the ISE self-signed cert for Admin, and leave the other fields unticked.

In my deployments, I don't use self-signed certs for anything (I would use corp PKI signed for Admin, EAP and sponsor portals) and public CA for guest portals. And to avoid cert expiration warnings, I tend to extend all the remaining self-signed certs by 10 years or so, using the edit feature.