12-14-2023 09:13 AM - edited 12-14-2023 09:14 AM
Hi All,
We have two Cisco ISE 3.1 running in HA using default self-signed certificate.
We want to change/replace self-signed certificate with Window CA signed cert .
Could you guide me how can I replace the cert ?
Do I need to apply the cert in both ISE manually or If I apply the new cert in Primary admin node, it will automatically synced to secondary ISE and get replaced?
And we plan to use wildcard certificate for both ISE.
Let’s say if we have two ISE nodes as below
Primary: ise01.mbw.local
Secondary: ise02.mbw.local
The domain is mbw.local. If I want to generate windcard CSR for those two ISE , what should be the common name?
Can I use the common name “ise.mbw.local” ? Will that be ok to use in both ISE?
Can I give any name in front of “.mbw.local” for common name?
And I need to add SAN DNS Name : *.mbw.local to cover both ISE , am I correct?
Thank you so much
Solved! Go to Solution.
12-14-2023 11:17 AM
check this below guide :
12-14-2023 11:17 AM
check this below guide :
12-14-2023 12:02 PM
Hello @SaintEvn
- Generate Certificate Signing Request:
On each ISE node, generate a CSR using CLI.
- Submit CSR to Windows CA:
Submit the generated CSR to your Windows CA to obtain a signed certificate. Ensure the CN and SAN match the FQDN of each ISE node.
- Import Certificate :
On each ISE node, import the signed certificate using the CLI.
- Repeat for Secondary Node :
Repeat the process for the secondary ISE node.
** Include SAN for Each ISE Node. In the SAN field, include entries for both ISE nodes.
- Example SAN entry: `DNS:ise01.mbw.local, DNS:ise02.mbw.local`.
Even in a high availability setup, certificates may need to be manually imported on each ISE node.
01-04-2024 07:49 AM - edited 01-04-2024 07:50 AM
Thank you all, I generate CSR using wildcard fqdn in SAN and add specific IP address of two ISE nodes , get it signed by CA and applied from Admin node. Both ISE went reboot and after come up the cert installation was completed for both ISEs.
If we generate CSR with windcard fqdn (*.example.com) , the cert will be installed for for all ISE nodes within the same cluster. If we generate CSR for each ISE ( ISE1.example.com , ISE2.example.com) , then we need to install cert manually for all the members separately . The cert can be installed from Admin node GUI.
01-04-2024 08:46 AM
Hello @SaintEvn
Thanks for your feedback.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide