Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
496
Views
0
Helpful
2
Replies

ISE Certificate Renewal ver 2.4.0.357

Go to solution
c.ogedengbe
Level 1
Level 1

‎08-09-2019 02:24 AM

Hello,

 

Our CA signed certificate is expiring in a few days. I have installed a new certificate which was obtained through CSR generated by ISE. The new certificate was installed by using BIND feature.  However, while doing the BIND, I disabled Admin, HTTPS and Portal options which we will need to enable later.

 

1. Can I go ahead to edit the new certificate by enabling Admin, HTTPS & Portal options while the existing certificate still has a couple of days to expire?

 

2. If the answer to (1) is Yes, will there not be a certificate conflict in ISE since there are now 2 valid certificates enabled for Admin, HTTPS & Portal and how does ISE resolve this conflict?

 

3. I read on another ISE thread that I could wait for the exiting certificate to expire and after that enable the Admin, HTTPS and Portal functions on the new certificate. If I take this option, will I be able to have https access to ISE to enable these options on the new certificate after the existing certificate has expired?

 

4. We have a distributed system. Please confirm that I only need to install the new certificate on the Primary and that ISE should trigger rolling restart of ISE services on the other nodes.

 

Regards

 

Clem

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎08-09-2019 03:05 PM

1. Yes, as long as valid FROM date is not in the future, it should be fine. Enabling it for admin will cause ISE node to restart, but for portal and EAP it does not require restart and can be applied on the fly.

2. Certificate conflict check happens during bind, since you didn't get any conflict error, it should work

3. I would recommend taking action prior to expiry to avoid any disruption

4. When updating certificate, you can select which certificate will be used for admin and EAP purpose by each ISE node. IOW you can control which ones will be updated within the certificate management GUI. Like noted in#1, applying it for admin function will require restart. For the portal certificate, it is applied globally but you can use portal tag to control where it is applied.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
howon
Cisco Employee
Cisco Employee

‎08-09-2019 03:05 PM

1. Yes, as long as valid FROM date is not in the future, it should be fine. Enabling it for admin will cause ISE node to restart, but for portal and EAP it does not require restart and can be applied on the fly.

2. Certificate conflict check happens during bind, since you didn't get any conflict error, it should work

3. I would recommend taking action prior to expiry to avoid any disruption

4. When updating certificate, you can select which certificate will be used for admin and EAP purpose by each ISE node. IOW you can control which ones will be updated within the certificate management GUI. Like noted in#1, applying it for admin function will require restart. For the portal certificate, it is applied globally but you can use portal tag to control where it is applied.

0 Helpful

Go to solution
c.ogedengbe
Level 1
Level 1
In response to howon

‎08-13-2019 02:17 AM

Hello,

 

Thanks. The update was successful.

 

Clem

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents