Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2210
Views
0
Helpful
2
Replies

Cisco ISE distributed deployment "Multiple Certificates per Node. One for Each Service"

Go to solution
OJ_Magellan
Level 1
Level 1

‎03-02-2021 07:25 AM

Hi ,

 

My Question is regarding "Multiple Certificates per Node. One for Each Service" / Certs renewal

 

Our current deployment consist of 6 ISE nodes => 2*PAN (Pri, Sec) , 2*Mnt (Pri, Sec) and 2*PSN (Pri, Sec), and we are using "Single Certificate per Node. Used for all Services"

 

Now that our Infrastructure has been upgraded including the CA Server, w want to shift from "Single Certificate per Node. Used for all Services" to "Multiple Certificates per Node. One for Each Service"

 

I know that the Admin Cert has to be on all the ISE nodes and the  EAP/Portal Cert only on the PSN nodes, However, how do I perform this task properly?

 

Do I need to perfom the Admin CSR 6 times, seperatly on each  ISE node? or can I perform the task directly once from PAN (Pri) for all the registered ISE nodes? Similarly for  the EAP/Portal Cert, twice from the PAN (Pri)? or seperatly on the PSNs?

 

Is there any Manual that describes the workflow/Steps to perfom this task?

 

Regards,

OJ

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎03-02-2021 11:27 AM

I know that the Admin Cert has to be on all the ISE nodes and the  EAP/Portal Cert only on the PSN nodes, However, how do I perform this task properly?

-You will use your PAN (primary admin node) to perform certificates functions for all nodes in the deployment.  Functions include generating CSRs, binding the certs, adding certs to ISE trust store, etc.

Do I need to perfom the Admin CSR 6 times, seperatly on each  ISE node? or can I perform the task directly once from PAN (Pri) for all the registered ISE nodes? Similarly for  the EAP/Portal Cert, twice from the PAN (Pri)? or seperatly on the PSNs?

-As mentioned above you will use the PAN to generate each CSR for each node/purpose.

 

This guide will definitely help: How To Implement Digital Certificates in ISE - Cisco Community

Good luck & HTH!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎03-02-2021 11:27 AM

I know that the Admin Cert has to be on all the ISE nodes and the  EAP/Portal Cert only on the PSN nodes, However, how do I perform this task properly?

-You will use your PAN (primary admin node) to perform certificates functions for all nodes in the deployment.  Functions include generating CSRs, binding the certs, adding certs to ISE trust store, etc.

Do I need to perfom the Admin CSR 6 times, seperatly on each  ISE node? or can I perform the task directly once from PAN (Pri) for all the registered ISE nodes? Similarly for  the EAP/Portal Cert, twice from the PAN (Pri)? or seperatly on the PSNs?

-As mentioned above you will use the PAN to generate each CSR for each node/purpose.

 

This guide will definitely help: How To Implement Digital Certificates in ISE - Cisco Community

Good luck & HTH!

0 Helpful

Go to solution
OJ_Magellan
Level 1
Level 1
In response to Mike.Cifelli

‎03-02-2021 01:46 PM

Thanks for the reply Mike,

 

What about the Current system Cert (The result of the Multi usage CSR Binding)? would it automatically be replaced or ignored through the new Cert Bindings?

 

Thanks and Regards,

OJ

0 Helpful
Customers Also Viewed These Support Documents