Solved: In Deep Do Do ISE 2.1 upgrade to 2.2

stuart.pannell · ‎08-02-2022

Hi All, So I have adopted this ISE appliance that we use for TACACS authentication only to Cisco network devices. It is running version 2.1.0.474. I have decided it was time to upgrade it and started to follow the written processes. I have hit a problem where trying to upgrade to 2.2(Stage1) I get the error: -
Trust certificate with friendly name 'Certificate Services Node CA - ACS1#00002' is invalid: The certificate has expired.
Trust certificate with friendly name 'Certificate Services OCSP Responder - ACS1#00004' is invalid: The certificate has expired.
Trust certificate with friendly name 'Certificate Services Endpoint Sub CA - ACS1#00001' is invalid: The certificate has expired.

I can't find anywhere where I can renew these certs? I have read that if you create a new certificate signing request then you can reset the internal root CA certs, there is not an option to do this with the version I am running.

stuart.pannell · ‎08-03-2022

I have raised a TAC case and what they are seeing is that the details are still in the DB however the certificates themselves no longer exist. They are going to login tomorrow and remove the DB entries.

Thank you for your support and suggestions

View solution in original post

ahollifield · ‎08-02-2022

You can delete the certificates from the Trusted Certificate store. That being said, why even bother to upgrade? So many things have changed in ISE since 2.1. You are much better off starting over from scratch and building out a new deployment on the current suggested release, ISE 3.1.

stuart.pannell · ‎08-02-2022

Thanks for the input however they do not appear in the Trusted Certificate Store and that is the problem, not able to renew and not able to delete but the upgrade sees them from somewhere and they are expired! As for trying to go through the upgrade pain, well we have a number of devices configured for TACACS and a number of identity profiles, trying to avoid having to re-add these.

ahollifield · ‎08-02-2022

You can export/import the network access devices.

Marcelo Morais · ‎08-02-2022

Hi @stuart.pannell ,

please check if these Certificates are located at: Administration > System > Certificates > Certificate Authority > Certificate Authority Certificates.

If the answer is Yes, then

1st at Administration > System > Certificates > Certificate Authority > Internal CA Settings, check if your Certificate Authority is Enabled (in other words, you see the Disable Certificate Authority icon)

2nd at Administration > System > Certificates > Certificate Management > Certificate Signing Request > click Generate Certificate Signing Request (CSR) > at Usage select ISE Root CA

Hope this helps !!!

stuart.pannell · ‎08-03-2022

Hi Marcelo, although I have my server listed under the "Certificate Authority Certificates" there are no certificates listed underneath it.
I have tried with the Internal CA both disabled and enabled and neither time am I able to select ISE Root CA when choosing to generate CSR. it's not even listed as an option under 'ISE Identity Certificates'

Marcelo Morais · ‎08-03-2022

Hi @stuart.pannell ,

could be "garbage" ... use the following command and check the Displaying local and trust certificates in PEM format part of it:

ise/admin# show tech-support

Open a TAC case to check "inside" and remove these Certificates.

Hope this helps !!!

stuart.pannell · ‎08-03-2022

I have raised a TAC case and what they are seeing is that the details are still in the DB however the certificates themselves no longer exist. They are going to login tomorrow and remove the DB entries.

Thank you for your support and suggestions

Marcelo Morais · ‎08-03-2022

Excellent news @stuart.pannell