cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

98
Views
0
Helpful
2
Replies
Beginner

ISE Certificate Renewal ver 2.4.0.357

Hello,

 

Our CA signed certificate is expiring in a few days. I have installed a new certificate which was obtained through CSR generated by ISE. The new certificate was installed by using BIND feature.  However, while doing the BIND, I disabled Admin, HTTPS and Portal options which we will need to enable later.

 

1. Can I go ahead to edit the new certificate by enabling Admin, HTTPS & Portal options while the existing certificate still has a couple of days to expire?

 

2. If the answer to (1) is Yes, will there not be a certificate conflict in ISE since there are now 2 valid certificates enabled for Admin, HTTPS & Portal and how does ISE resolve this conflict?

 

3. I read on another ISE thread that I could wait for the exiting certificate to expire and after that enable the Admin, HTTPS and Portal functions on the new certificate. If I take this option, will I be able to have https access to ISE to enable these options on the new certificate after the existing certificate has expired?

 

4. We have a distributed system. Please confirm that I only need to install the new certificate on the Primary and that ISE should trigger rolling restart of ISE services on the other nodes.

 

Regards

 

Clem

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: ISE Certificate Renewal ver 2.4.0.357

1. Yes, as long as valid FROM date is not in the future, it should be fine. Enabling it for admin will cause ISE node to restart, but for portal and EAP it does not require restart and can be applied on the fly.

2. Certificate conflict check happens during bind, since you didn't get any conflict error, it should work

3. I would recommend taking action prior to expiry to avoid any disruption

4. When updating certificate, you can select which certificate will be used for admin and EAP purpose by each ISE node. IOW you can control which ones will be updated within the certificate management GUI. Like noted in#1, applying it for admin function will require restart. For the portal certificate, it is applied globally but you can use portal tag to control where it is applied.

2 REPLIES 2
Highlighted
Cisco Employee

Re: ISE Certificate Renewal ver 2.4.0.357

1. Yes, as long as valid FROM date is not in the future, it should be fine. Enabling it for admin will cause ISE node to restart, but for portal and EAP it does not require restart and can be applied on the fly.

2. Certificate conflict check happens during bind, since you didn't get any conflict error, it should work

3. I would recommend taking action prior to expiry to avoid any disruption

4. When updating certificate, you can select which certificate will be used for admin and EAP purpose by each ISE node. IOW you can control which ones will be updated within the certificate management GUI. Like noted in#1, applying it for admin function will require restart. For the portal certificate, it is applied globally but you can use portal tag to control where it is applied.

Beginner

Re: ISE Certificate Renewal ver 2.4.0.357

Hello,

 

Thanks. The update was successful.

 

Clem