cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

6071
Views
19
Helpful
11
Replies
Beginner

ISE Certificate Renewal

Hi,

Our ISE (2.0.1.130) default self signed server certificate has expired on both our primary and secondary ISE nodes. The Default self-signed server certificate is currently configured to be used by pxGrid and Portal services, but we don't use either function. Admin and EAP services are associated with a signed, active certificate.

If I want to renew the default self sign server certificate, does ISE need to restart because it's associated with pxGrid & Portal services regardless of if they are used on the ISE nodes?

For the secondary non-admin ISE node, is it better to renew/delete certificates from the secondary node directly, or can this be done through the primary ISE node?

In addition there is an expired CA signed certificate issues by our CA which isn't associated with anything. I assume I can delete this with no impact?

Cheers,

Tom

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: ISE Certificate Renewal

On the default self-sign server certificate, it does not trigger a restart of ISE services unless it's used by "admin". After the primary ISE node is being restarted due to renewing its "admin" certificate, it will trigger a rolling restart of ISE services on all the secondary nodes.

On secondary ISE nodes, it can be done either way.

On expired CA signed certificate not in use, yes, it's fine to delete it and please do so before performing an ISE upgrade.

View solution in original post

11 REPLIES 11
Highlighted
Cisco Employee

Re: ISE Certificate Renewal

On the default self-sign server certificate, it does not trigger a restart of ISE services unless it's used by "admin". After the primary ISE node is being restarted due to renewing its "admin" certificate, it will trigger a rolling restart of ISE services on all the secondary nodes.

On secondary ISE nodes, it can be done either way.

On expired CA signed certificate not in use, yes, it's fine to delete it and please do so before performing an ISE upgrade.

View solution in original post

Highlighted
Collaborator

Re: ISE Certificate Renewal

If I understand the answer correctly, updating the non self-signed Admin cert on the PPAN will trigger the PPAN to restart and then, the rolling restart of all the secondary nodes in the deployment regardless. If so, I have the following questions:

- From operation perspective, if there are lots of nodes in the deployment, would it be better we install and activate the new Admin cert on all the secondary nodes then do the same for the PPAN? Can this entire procedure be done just on the PPAN Admin GUI?

- How does ISE PPAN determine its rolling restart sequence? Is it determined by node persona, or its hostname (alphabetically)?

Thanks for your clarification.

Highlighted
Cisco Employee

Re: ISE Certificate Renewal

The same affects both self-signed and non-self-signed. CSCut10928 opened since 1.2 but not yet addressed. I documented the workaround in that defect.

I believe the restart sequence is based on the order in the database, so it seems the same as what in the output of "show tech".

Highlighted
Collaborator

Re: ISE Certificate Renewal

And... this is the only paper I could find on the cert renewal topic.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116977-technote-ise-cert-00.html

It's not clear on my questions.

Highlighted
Beginner

Re: ISE Certificate Renewal

Hi hslai,

Thanks for the details. Just checking that it's only admin will requires a restart, pxGrid & Portal services tied to a cert which needs to be renewed don't require a restart? I am just double checking as I couldn't see this confirmed anywhere (other than that admin/HTTPS requires a restart).

Regards,

Tom

Highlighted
Cisco Employee

Re: ISE Certificate Renewal

Yes, that is correct. Normally only updating the "admin" certificate will require such restart.

Highlighted
Enthusiast

Re: ISE Certificate Renewal

hslai

"Hi, please can you confirm the following statement:

"After the primary ISE node is being restarted due to renewing its "admin" certificate, it will trigger a rolling restart of ISE services on all the secondary nodes."

So in a distributed deployment, apply a new Admin Certificate on Primary then later on the Secondary PAN will obviously cause the services to restart.

But this will also trigger MnT Primary and Secondary nodes to reload and also the dedicated PSNs to also reload?

Even if I haven't touched the certificates on those nodes?

Why is that? I ask because this occurred for me.

Highlighted
Cisco Employee

Re: ISE Certificate Renewal

This is due to CSCut10928. ISE 1.0/1.1 had an issue that the 2nd ISE nodes not trusting the new server certificate of the primary ISE until restart.

The rolling restart is triggered by updating the "admin" certificate of the primary ISE node (the primary PAN), but not on any of the secondary ISE nodes, such as the secondary PAN.

Highlighted
Enthusiast

Re: ISE Certificate Renewal

Thanks Hslai, our version is 2.2 so not sure why they all reloaded sequentially one by one.

It occurred after changing to new cert then rolling back.

Edit - That bug covers 2.2 also.

Thanks

Highlighted
Cisco Employee

Re: ISE Certificate Renewal

CSCut10928 has not been addressed yet in any ISE 2.x releases. Thus, it's expected updating the cert on P-PAN will rolling restart all of the other ISE nodes.

Highlighted
Enthusiast

Re: ISE Certificate Renewal

Thanks for clarifying

Sent from my iPhone