Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3480
Views
0
Helpful
1
Replies

Certificates for ISE Backup

Translator
Community Manager
Community Manager

‎11-22-2022 10:05 PM - last edited on ‎11-22-2022 10:46 PM by Level 4

If you look at the ISE Backup Guide, you will find the following:

Note:The ISE Configuration backup includes system and trusted certificates, and does not include internal Certificate Authority (CA) certificates.

To manually back up the internal Certificate Authority (CA) repository in ISE CLI, log in to the Primary Admin Node (ISE PAN) node via SSH, run the command application configure ise, and select option 7 to export the internal CA repository.

==========================================

If you look at this part, it seems that the certificate is also backed up at the same time, but is not clear what the scope of the internal Certificate Authority (CA) certificate is.

Does that refer to the self-signed certificate in ISE?

Also, if there are multiple ISE devices, I understand that they exchange certificates with others because of HA, etc., but in this case, should I export certificates for each device?

I'd like to know exactly what parts of the certificate should be reviewed when changing devices using the backup restore.

Thank you for your help!

0 Helpful
1 Reply 1

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎11-23-2022 02:41 AM

Hi sangchul,

As you already wrote, it is clearly stated "The ISE Configuration backup includes system and trusted certificates, and does not include internal Certificate Authority (CA) certificates." System and trusted certificates are the ones that you see under Administration / System / Certificates / Certificate Management:

Milos_Jovanovic_0-1669199748584.png

Internal CA certificates are the ones that you see under Administration / System / Certificates / Certificate Authority:

Milos_Jovanovic_1-1669199828251.png

Having that said, there is a bit overlap in between - certificate used for ISE Messaging Services is most often one issued by ISE, for ISE. This certificate is located under System Certificate, but it's CA Chain is located under Certificate Authority Certificates.

What I usually do is that I always keep offline backup of externaly issued certificates (which I use for Admin or EAP Authentication, and portals), along with their CA certificates. For ISE Messaging Services, I re-generate ISE Root CA and reissue this certificate, when needed. However, I almost never use ISE CA for any other services, so I can afford not to care about this topic. If you are using ISE CA, you need to export and backup those as well, from ISE CLI.

Kind regards,

Milos

0 Helpful
Customers Also Viewed These Support Documents