Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
274
Views
1
Helpful
3
Replies

Distributed Cisco ISE - System Certificates

RFC_2549
Level 1
Level 1

‎01-14-2025 12:15 AM

Hello,

we have a standalone Cisco ISE and we are going to add a second ISE, so the standalone will become primary and the new server will become the secondary node.
On the current ISE node we have a few system certificates:
- a certificate used by EAP Authentication, Admin, Portal, RADIUS, DTLS;
- a certificate used by SAML;
- a certificate used by ISE Messaging Service;

- a certificate used by pxGrid.

When we will add the second node, what we need to do with the certificates on both nodes?

Thank You and kind regards


0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎01-14-2025 12:40 AM - edited ‎01-14-2025 12:54 AM

@RFC_2549 the existing node and the new node will both need to trust the "admin" certificate, either sign the "admin" certificate by your internal CA or export/import the current certificate into the trusted certificate store.

It depends on what you are using ISE to authenticate. If you are using ISE for basic 802.1X authentication, then the "EAP" certificate on both nodes should be replaced with a certificate trusted by the client computers. If you are not using the other certificates, i.e., Portal, DTLS, pxGrid etc then you can leave the existing certificates.

https://community.cisco.com/t5/security-knowledge-base/how-to-implement-digital-certificates-in-ise/ta-p/3630897

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215621-tls-ssl-certificates-in-ise.html

 

Marcelo Morais
VIP
VIP

‎01-15-2025 06:58 PM

Hi @RFC_2549 ,

1st, to Register other Nodes, you must 1st change the Role of the Node from Standalone to Primary.

At Administration > System > Deployment > select the Node > Make Primary:

Make Primary.png

 

2ndRegister the New Node.

At Administration > System > Deployment > Register:

Register.png

 

3rd, import the Certificates of the New Node (the same way you import for the 1st Node).

At Administration > System > Certificate Management > System Certificates > Import:

System Certificates.png

 

Hope this helps !!!

0 Helpful

ammahend
VIP Alumni
VIP Alumni

‎01-19-2025 07:19 PM

share the screen shot of system certificate page from current active node, make sure we can see everything from Friendly name to Status

Administration > System > Certificate > Certificate management > System Certificates

-hope this helps-
0 Helpful
Customers Also Viewed These Support Documents