Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
550
Views
0
Helpful
4
Replies

Cisco ISE 1.2 wrong certificate on admin node

Serg Romanovets
Level 1
Level 1

‎06-18-2016 03:55 AM - last edited on ‎03-25-2019 05:34 PM by Community Manager

Hello All,

I made the mistake of entering the wrong certificate on Administration ISE node. Now i can't to connect to it, because entered certificate can't be used for building https connection. I have access by ssh, but i don't now how to fix this issue from cli. Is it possible?

Thanks!

Labels:
0 Helpful
4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni

‎06-19-2016 04:27 PM

Hi

I've never had this kind of issue. However the cli commands are quite limited.

There is a command application reset-config ise where the 1st question is initialization of ISE and the 2nd concerning certificates. 

If this isn't a production server, try this command by saying No at the first question (factory reset of ISE) and No the 2nd question (Retain server certificates).

If it won't work, you'll need to reply Yes at the 1st and No at the 2nd question but you'll loose all config (rules and AD join).

If you have a lot of rules,.. I would suggest these steps (Except if someone else has another idea, but on my side I don't see another ways):

- Make a backup of your actual ISE through CLI (I'll paste after the link of ISE backup/restore command)

- Reset to factory as per command given before

- Export self signed certificate (application configure ise) http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0101.html#ID-1363-0000020d

- Restore your backup from CLI (you won't be able to connect through https like today)

- Import back the certificate backup you've done just before (resetting certificate)

- Now you'll be able to connect and retrieve all your datas.

Below a link for backup/restore:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_backup.html#35144

Hope this answered your question. 

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Serg Romanovets
Level 1
Level 1
In response to Francesco Molino

‎06-20-2016 11:00 PM

ISE 1.2 do not support import/export certificate from cli, i'll try to update it to 1.3. When i imported self-signed certificate into cert store, all current certificates will be replaced by this one?

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Serg Romanovets

‎06-21-2016 04:32 AM

Yes you're right. It's been a while I'm not using ISE 1.2

Thanks 

PS: Please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎06-19-2016 08:49 PM

Hi Serg,

You need to make sure you take a backup of the ISE before resetting the config.

If you have a valid contract you can open a case with TAC and they can delete the certificates from the root shell.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful
Customers Also Viewed These Support Documents