Solved: ISE Certificate Renewal

holdentom218 · ‎07-01-2018

Hi,

Our ISE (2.0.1.130) default self signed server certificate has expired on both our primary and secondary ISE nodes. The Default self-signed server certificate is currently configured to be used by pxGrid and Portal services, but we don't use either function. Admin and EAP services are associated with a signed, active certificate.

If I want to renew the default self sign server certificate, does ISE need to restart because it's associated with pxGrid & Portal services regardless of if they are used on the ISE nodes?

For the secondary non-admin ISE node, is it better to renew/delete certificates from the secondary node directly, or can this be done through the primary ISE node?

In addition there is an expired CA signed certificate issues by our CA which isn't associated with anything. I assume I can delete this with no impact?

Cheers,

Tom

hslai · ‎07-02-2018

On the default self-sign server certificate, it does not trigger a restart of ISE services unless it's used by "admin". After the primary ISE node is being restarted due to renewing its "admin" certificate, it will trigger a rolling restart of ISE services on all the secondary nodes.

On secondary ISE nodes, it can be done either way.

On expired CA signed certificate not in use, yes, it's fine to delete it and please do so before performing an ISE upgrade.

View solution in original post

hslai · ‎07-02-2018

On the default self-sign server certificate, it does not trigger a restart of ISE services unless it's used by "admin". After the primary ISE node is being restarted due to renewing its "admin" certificate, it will trigger a rolling restart of ISE services on all the secondary nodes.

On secondary ISE nodes, it can be done either way.

On expired CA signed certificate not in use, yes, it's fine to delete it and please do so before performing an ISE upgrade.

Ping Zhou · ‎07-02-2018

If I understand the answer correctly, updating the non self-signed Admin cert on the PPAN will trigger the PPAN to restart and then, the rolling restart of all the secondary nodes in the deployment regardless. If so, I have the following questions:

- From operation perspective, if there are lots of nodes in the deployment, would it be better we install and activate the new Admin cert on all the secondary nodes then do the same for the PPAN? Can this entire procedure be done just on the PPAN Admin GUI?

- How does ISE PPAN determine its rolling restart sequence? Is it determined by node persona, or its hostname (alphabetically)?

Thanks for your clarification.

hslai · ‎07-02-2018

The same affects both self-signed and non-self-signed. CSCut10928 opened since 1.2 but not yet addressed. I documented the workaround in that defect.

I believe the restart sequence is based on the order in the database, so it seems the same as what in the output of "show tech".

Ping Zhou · ‎07-02-2018

And... this is the only paper I could find on the cert renewal topic.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116977-technote-ise-cert-00.html

It's not clear on my questions.

holdentom218 · ‎07-02-2018

Hi hslai,

Thanks for the details. Just checking that it's only admin will requires a restart, pxGrid & Portal services tied to a cert which needs to be renewed don't require a restart? I am just double checking as I couldn't see this confirmed anywhere (other than that admin/HTTPS requires a restart).

Regards,

Tom

hslai · ‎07-02-2018

Yes, that is correct. Normally only updating the "admin" certificate will require such restart.

joshhunter · ‎07-10-2018

hslai

"Hi, please can you confirm the following statement:

"After the primary ISE node is being restarted due to renewing its "admin" certificate, it will trigger a rolling restart of ISE services on all the secondary nodes."

So in a distributed deployment, apply a new Admin Certificate on Primary then later on the Secondary PAN will obviously cause the services to restart.

But this will also trigger MnT Primary and Secondary nodes to reload and also the dedicated PSNs to also reload?

Even if I haven't touched the certificates on those nodes?

Why is that? I ask because this occurred for me.

hslai · ‎07-10-2018

This is due to CSCut10928. ISE 1.0/1.1 had an issue that the 2nd ISE nodes not trusting the new server certificate of the primary ISE until restart.

The rolling restart is triggered by updating the "admin" certificate of the primary ISE node (the primary PAN), but not on any of the secondary ISE nodes, such as the secondary PAN.

joshhunter · ‎07-10-2018

Thanks Hslai, our version is 2.2 so not sure why they all reloaded sequentially one by one.

It occurred after changing to new cert then rolling back.

Edit - That bug covers 2.2 also.

Thanks

hslai · ‎07-10-2018

CSCut10928 has not been addressed yet in any ISE 2.x releases. Thus, it's expected updating the cert on P-PAN will rolling restart all of the other ISE nodes.

joshhunter · ‎07-10-2018

Thanks for clarifying

Sent from my iPhone