cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
628
Views
2
Helpful
4
Replies

Changing Self-signed certificate to Window CA Signed Cert ISE HA

SaintEvn
Level 1
Level 1

Hi All,
We have two Cisco ISE 3.1 running in HA using default self-signed certificate.
We want to change/replace self-signed certificate with Window CA signed cert .
Could you guide me how can I replace the cert ?
Do I need to apply the cert in both ISE manually or If I apply the new cert in Primary admin node, it will automatically synced to secondary ISE and get replaced?


And we plan to use wildcard certificate for both ISE.
Let’s say if we have two ISE nodes as below
Primary: ise01.mbw.local
Secondary: ise02.mbw.local

The domain is mbw.local. If I want to generate windcard CSR for those two ISE , what should be the common name? 
Can I use the common name “ise.mbw.local” ? Will that be ok to use in both ISE?
Can I give any name in front of “.mbw.local” for common name?

And I need to add SAN DNS Name : *.mbw.local to cover both ISE , am I correct?

Thank you so much

 

1 Accepted Solution

Accepted Solutions
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

check this below guide :

https://www.petenetlive.com/KB/Article/0001068

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

M02@rt37
VIP
VIP

Hello @SaintEvn 

- Generate Certificate Signing Request:

On each ISE node, generate a CSR using CLI.

- Submit CSR to Windows CA:

Submit the generated CSR to your Windows CA to obtain a signed certificate. Ensure the CN and SAN match the FQDN of each ISE node.

- Import Certificate :

On each ISE node, import the signed certificate using the CLI.

- Repeat for Secondary Node :
Repeat the process for the secondary ISE node.

** Include SAN for Each ISE Node. In the SAN field, include entries for both ISE nodes.
- Example SAN entry: `DNS:ise01.mbw.local, DNS:ise02.mbw.local`.

Even in a high availability setup, certificates may need to be manually imported on each ISE node.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

SaintEvn
Level 1
Level 1

Thank you all, I generate CSR using wildcard fqdn in SAN and add specific IP address of two ISE nodes , get it signed by CA and applied from Admin node. Both ISE went reboot and after come up the cert installation was completed for both ISEs. 

If we generate CSR with windcard fqdn (*.example.com) , the cert will be installed for for all ISE nodes within the same cluster. If we generate CSR for each ISE ( ISE1.example.com , ISE2.example.com) , then we need to install cert manually for all the members separately . The cert can be installed from Admin node GUI.

Hello @SaintEvn 

Thanks for your feedback.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.