cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1152
Views
0
Helpful
6
Replies

Certificate replication through nodes.

ecanogut
Cisco Employee
Cisco Employee

Hello,

I have a customer who is planning to upload a new certificate (the current one is about expiring). I was able to import it successfully on the PAN without get the services restarted. I've seen if we enable the services the cert is used by (EAP, Admin, Portal) on the primary PAN, this will get restarted and the subsecuences nodes will be restarting too, my question is: ¿If I enable the services on one PSN at time instead of PAN, will the subsequences PSNs will be restarted too?

 

Thank you very much.

6 Replies 6

Hi,

 

Only replacing the Admin certificate would result in the services being restarted on the node the certificate is being replaced on. Any other cert (EAP, Portal, pxgrid) would not result in the services being restarted.

 

HTH

@Rob Ingram Thank you for the quick response,

 

I have a lab deployment (1 PAN and 2 PSN) where I replaced the certificate on PAN and enabled the services (EAP,Admin, Portal). I see the  PAN get restarted and after some minutes both PSN too. Customer has about 10 Nodes and they don't want to get all the nodes restarted, that's why im wondering if I only upload the new cert on PAN, it won't activate a service restart of the nodes.

 

Hi, If you've replaced the PAN's admin certificate it should not reboot again. In a distributed cluster you have to upload the certificate for all other nodes from the webgui of the PAN anyway, you just need to ensure you only select the correct PSN to replace the admin certificate, then only that PSN's services will restart not any other PSN.

 

Make sense?

 

HTH

@Rob Ingram that makes sense 100%, how can I select the correct PSN to replace the admin certificate? Is it under Administration->Deployment Tab?

Assuming the PSN nodes are registered to the cluster, to import any certificate for a node in a cluster you'd go to:-

 

Administration > System > Certificates

 

From there you can generate CSR's, select which type of certificate and which node the CSR is being generated for and then once the certificate is signed you can bind the signed certificates.

Thank you very much @Rob Ingram,

 

Will try this option in Lab.

 

Regards. 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: