02-03-2025
	
		
		11:16 PM
	
	
	
	
	
	
	
	
	
	
	
	
	
	
 - last edited on 
    
	
		
		
		02-04-2025
	
		
		08:08 AM
	
	
	
	
	
	
	
	
	
	
	
	
	
	
 by 
		
	
	
	
			
				
		
		
			shazubai
		
		
		
 
		
		
		
		
		
	
			
		
Hello,
I have a problem to import the Cisco ISE ca/key pairs. I have two node deployment, ISE1 and ISE2, where ISE1 was promoted to work as a primary admin node.
I exported certificates from ISE2 successfully and stored them in FTP-ISE-CERT repository, however, when I tried to import them on ISE1 I got a failure message:
"Import Operation Failed. CA keys file name not found at 'FTP-ISE-CERT'"
The running version of ISE is 3.3 patch 4
Thank you
02-05-2025 09:20 PM
- Might be unrelated but worth mentioning : https://bst.cisco.com/bugsearch/bug/CSCwe66801?rfs=qvred
M.
02-06-2025 09:41 AM
What exactly you need this CA trust point for? SFTP?
02-06-2025 09:52 AM
Which certificate are you referring to? an identity cert or a trusted cert? if an identity cert, was that issued by an internal PKI for both ISE nodes? or is it a self-signed cert that's belonging to ISE2? if the latter, I don't believe you can import a self-signed cert of a node to another.
02-10-2025 12:16 AM
The point is to import a root CA certificate from ISE2 (originally the primary admin node) to ISE1 (originally the secondary admin node). Now the root CA certificate is only on ISE2, so if I understand it correctly and ISE2 become unavailable, ISE1 won't be promoted to the root CA and won't be able to issue certificates.
02-10-2025 02:44 AM
Sorry but I'm still unsure to which certificate you are referring. Could you please share a screenshot showing which certificate are you referring to? Generally speaking both nodes should synch the trusted root certificates, however, they don't automatically synch the identity certs as those ones could be per node basis. However, if you are referring to ISE internal PKI then the primary PAN would be your root CA and that role should move when you move the primary PAN persona. With ISE you enable PAN auto-failover feature however this feature requires at least three nodes in your deployment as the third node would be the node that will check the health of the PANs. Also, with PAN auto-failover there is no preemption, which means that even if a failover happens the new PAN will remain as even after the previous primary PAN is restored until you manually re-promote the previous primary PAN to become the new primary PAN again.
02-17-2025 01:11 AM
I'm not sure if I understand it correctly. ISE1 node is now in the primary role, so the internal root CA certificate is supposed to be on that node. Nevertheless, the certificate still remains on ISE2. I'm confused now, which node acts as the root CA.
02-17-2025 03:00 AM
First of all, those certificates shouldn't be exported/imported manually by anyone. Those are ISE certificate authority certificates which are managed by ISE itself. I think you are right in saying the primary PAN should have the root CA certificate, but I don't think the root certificate will move if the primary PAN moves to the secondary PAN.
So, what I believe has happened here is that previously ISE2 was your primary PAN and at that stage the root CA certificate was generated on that node as expected. Then when you added ISE1 to the deployment, ISE1 got its node CA certificate signed by ISE2 which was still the primary PAN.
In fact, if you look at the screenshot you shared you can see that ISE1 has a node CA certificate signed by ISE2. Now when you promoted ISE1 to become the primary PAN, the root CA certificate remained on ISE2 which I believe this is expected and I don't believe promoting the PAN would move the root CA from the original primary PAN to the new one.
Also, I believe the node CA certificate that you see on ISE1 will still be able to sign the certificates to the PSN even if the root CA certificate is on ISE2.
02-17-2025 03:23 AM
Alright, thank you. I've got a question though. In case of the root CA certificate stays on ISE2 and that node become unavailable, will ISE1 be able to issue certificates, for instance for BYOD? I mean, will issued certificates still be considered as trusted?
02-17-2025 05:10 AM
You're welcome. Yes that will be my understanding because ISE1 has already the node CA certificate signed by ISE2 root CA, so it doesn't really need ISE2 for it to sign any required certs to the PSNs to serve BYOD flow.
02-10-2025 02:44 AM
Please check this link if you happen to refer to ISE internal PKI:
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide