Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2935
Views
5
Helpful
3
Replies

Cisco ISE EAP and Admin Cert Renewal

Go to solution
OJ_Magellan
Level 1
Level 1

‎03-08-2021 06:48 AM

Hi

 

I am renewing the EAP and Admin Cert for an ISE Cluster that consist of 6 Nodes ( 2 PAN, 2 Mnt and 2 PSN). How should I proceed with CSR binding (6 CSRs, Multi-usage CSR per Node)? should I Bind PAN (Pri) first? or should I start with PSNs and Mnt and leave the PAN (Pri) Till the end? would'nt updating the cluster members one by one break the communication between the nodes? Since they all need to have the same Admin Cert to communicate?

 

Any Suggestion on how to renew the Certs?

 

Regards,

OJ

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-13-2021 08:47 PM

You will be fine because the nodes can rely on the public CA or enterprise CA certificate chain to trust the new cert, whichever node you apply it to.

The other nodes (and endpoints) will trust the new cert(s)  because they can validate the signatures of (at least one of ) the signers which they trust.

Unless you are using self-signed certs then it will definitely break which is exactly why we say never to use self-signed certificates for a production deployment!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marcelo Morais
VIP
VIP

‎03-08-2021 07:39 AM

Hi @OJ_Magellan 

 start with PAN, MnT and PSN, for more info:

Certificate Renewal on Cisco Identity Services Engine Configuration Guide

Cisco Identity Services Engine Administrator Guide

 Remember that:

"... If you install a server certificate on the ISE via a Certificate Signing Request (CSR) and change the certificate for the HTTPS or EAP protocol, the self-signed server certificate is still present but is no longer used.

Caution: For HTTPS protocol changes, a restart of the ISE services is required, which creates a few minutes of downtime. EAP protocol changes do not trigger a restart of the ISE services and do not cause downtime..."

 

Hope this helps !!!

Go to solution
OJ_Magellan
Level 1
Level 1
In response to Marcelo Morais

‎03-08-2021 11:48 PM

Hi Marcelo,

 

Thnaks for the reply, but wouldn't that cause the PAN to relaod and then lose connection to Mnt and PSN, since the PAN has a new Admin and EAP Cert? My idea was to bind first on the other nodes and lastly on the PAN (Primary) since they're all gonna reload.

 

I've read that document, they don't mention much about the Distributed deployment with an External CA.

 

Regards,

OJ

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-13-2021 08:47 PM

You will be fine because the nodes can rely on the public CA or enterprise CA certificate chain to trust the new cert, whichever node you apply it to.

The other nodes (and endpoints) will trust the new cert(s)  because they can validate the signatures of (at least one of ) the signers which they trust.

Unless you are using self-signed certs then it will definitely break which is exactly why we say never to use self-signed certificates for a production deployment!

0 Helpful
Customers Also Viewed These Support Documents