Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1836
Views
5
Helpful
4
Replies

Certificate renewal on primary ISE when secondary ISE already have a certificate

Go to solution
engineer467
Level 1
Level 1

‎02-13-2020 03:04 AM - edited ‎02-13-2020 03:48 AM

Hello,

I am facing a situation at new work place.

We have ISE 2.2 deployment with two nodes.

A wildcard certificate signed by an external CA is present on secondary ISE, which is used for authentication, but there is no such certificate on primary node. The secondary node is currently active and primary on standby.

Now I need to update the primary node with the same wildcard certificate (highlighted yellow in attached screenshot), so that there are no authentication issues when failover occur, but don't know where to start.

 

Can somebody help me out please.

Thank you.

Preview file
101 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎02-13-2020 03:56 AM

Hi @engineer467 

 

So your secondary ISE node is called ISE02, and the Primary is ISE01 - it's a bit confusing ... but the name doesn't matter.

 

The steps are very simple actually.

Select the "Admin Wildcard Cert" and then select Export. You will export the cert as well as the Private Key. The password that you type for the private key is required to protect the private key - it can be anything you like - just don't forget it.

 

Then on the same System Cert page, Import the cert you just exported, and select ISE02.  Select the Roles that you want this cert to have (Admin, Portal, EAP - I guess these are the main ones?) - Because you have selected Admin, it will cause the ISE02 node to restart. If this is the Primary Admin node (as you describe) then it will kick you out of the GUI and you will have some downtime.

 

It's a fairly safe and regular process. It can be a bit scary. Inspect your certificate very well if you plan to use this for EAP services. Windows Supplicants don't like wildcards in the ISE EAP Cert Subject Common Name field. I think there is a workaround as long as your SAN DNS entries contain the FQDN (Fully Qualified Domain Name) of the ISE nodes' in question.

 

 

View solution in original post

4 Replies 4

Go to solution
Arne Bier
VIP
VIP

‎02-13-2020 03:56 AM

Hi @engineer467 

 

So your secondary ISE node is called ISE02, and the Primary is ISE01 - it's a bit confusing ... but the name doesn't matter.

 

The steps are very simple actually.

Select the "Admin Wildcard Cert" and then select Export. You will export the cert as well as the Private Key. The password that you type for the private key is required to protect the private key - it can be anything you like - just don't forget it.

 

Then on the same System Cert page, Import the cert you just exported, and select ISE02.  Select the Roles that you want this cert to have (Admin, Portal, EAP - I guess these are the main ones?) - Because you have selected Admin, it will cause the ISE02 node to restart. If this is the Primary Admin node (as you describe) then it will kick you out of the GUI and you will have some downtime.

 

It's a fairly safe and regular process. It can be a bit scary. Inspect your certificate very well if you plan to use this for EAP services. Windows Supplicants don't like wildcards in the ISE EAP Cert Subject Common Name field. I think there is a workaround as long as your SAN DNS entries contain the FQDN (Fully Qualified Domain Name) of the ISE nodes' in question.

 

 

Go to solution
engineer467
Level 1
Level 1
In response to Arne Bier

‎02-13-2020 04:25 AM

Hello Arne,

Thank you for the reply.

Please find my answers and query below-

 

So your secondary ISE node is called ISE02, and the Primary is ISE01 - it's a bit confusing ... but the name doesn't matter

Yes Secondary is ISE02 and Primary is ISE01.

 

Then on the same System Cert page, Import the cert you just exported, and select ISE02

Actually, ISE02 already have this certificate, we need to import it for ISE01. So, I should be selecting ISE01, right?

 

It's a fairly safe and regular process. It can be a bit scary. Inspect your certificate very well if you plan to use this for EAP services. Windows Supplicants don't like wildcards in the ISE EAP Cert Subject Common Name field. I think there is a workaround as long as your SAN DNS entries contain the FQDN (Fully Qualified Domain Name) of the ISE nodes' in question

Yes, our DNS servers have the FQDNs of both the ISE nodes. As of now, EAP authentication is working fine using this wildcard cert installed on secondary node which is acting as active.

 

 

 

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to engineer467

‎02-13-2020 01:43 PM

I was referring to the picture you attached and it clearly shows xxxSE02 with the Admin Wildcard Cert - you referred to that node as your Secondary.  Either way - doesn't matter.

 

The point is this: find and select the cert that you wish to export and follow the steps. Then click the Import button and select the node into which you want to import the cert ... that's the deal. :-)

0 Helpful

Go to solution
engineer467
Level 1
Level 1
In response to Arne Bier

‎02-14-2020 01:46 AM

Great! I will update after the activity.

Thank you.

0 Helpful
Customers Also Viewed These Support Documents