11-22-2022
10:05 PM
- last edited on
11-22-2022
10:46 PM
by
CiscoKoreaModer
If you look at the ISE Backup Guide, you will find the following:
Note:The ISE Configuration backup includes system and trusted certificates, and does not include internal Certificate Authority (CA) certificates.
To manually back up the internal Certificate Authority (CA) repository in ISE CLI, log in to the Primary Admin Node (ISE PAN) node via SSH, run the command application configure ise, and select option 7 to export the internal CA repository.
==========================================
If you look at this part, it seems that the certificate is also backed up at the same time, but is not clear what the scope of the internal Certificate Authority (CA) certificate is.
Does that refer to the self-signed certificate in ISE?
Also, if there are multiple ISE devices, I understand that they exchange certificates with others because of HA, etc., but in this case, should I export certificates for each device?
I'd like to know exactly what parts of the certificate should be reviewed when changing devices using the backup restore.
Thank you for your help!
11-23-2022 02:41 AM
Hi sangchul,
As you already wrote, it is clearly stated "The ISE Configuration backup includes system and trusted certificates, and does not include internal Certificate Authority (CA) certificates." System and trusted certificates are the ones that you see under Administration / System / Certificates / Certificate Management:
Internal CA certificates are the ones that you see under Administration / System / Certificates / Certificate Authority:
Having that said, there is a bit overlap in between - certificate used for ISE Messaging Services is most often one issued by ISE, for ISE. This certificate is located under System Certificate, but it's CA Chain is located under Certificate Authority Certificates.
What I usually do is that I always keep offline backup of externaly issued certificates (which I use for Admin or EAP Authentication, and portals), along with their CA certificates. For ISE Messaging Services, I re-generate ISE Root CA and reissue this certificate, when needed. However, I almost never use ISE CA for any other services, so I can afford not to care about this topic. If you are using ISE CA, you need to export and backup those as well, from ISE CLI.
Kind regards,
Milos
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide