Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3013
Views
5
Helpful
4
Replies

ISE 2.4.0.357 certificates renewal

Go to solution
Clem58
Level 3
Level 3

‎09-22-2021 03:18 AM - edited ‎09-22-2021 04:44 AM

Hello,

 

We have an ISE 2.4.0.357, on deployment we can see these nodes :

Capture.JPG

 

In the System Certificate we can see this certificate will expire soon, this certificate has one unique CN but SAN's with all the node's hostnames :

Capture2.JPG

 

This same certificate is used for all nodes, excepting one node which has a self-signed certificate :

 

Capture6.JPG

 

The idea is to renew these certificates with a common one for all nodes. I have generated CSR's for all nodes, basically only friendly names are changing :

Capture4.JPG

So next step is, for each node, bind the signed certificate, signed by our internal CA, correct ?

 

Does that mean also, each node will restart its ISE services too ? As we will have to renew Admin certificate ?

 

Thanks by advance for your help,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Clem58

‎09-22-2021 12:45 PM - edited ‎09-22-2021 12:47 PM

@Clem58 

If the certificate has SAN entries for each of the ISE nodes that should be fine.

 

Assuming your NADs (switches, wifi controllers etc) have been configured with all your PSNs (RADIUS/TACACS) then yes if you restart the services on one PSN the others will continue to provide service. I'd still recommend performing the work in a quiet period.

 

FYI, Some services are not available when the PAN is down

 

ise-failover.PNG

 

HTH

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎09-22-2021 06:50 AM

@Clem58 Yes, the certificate would need binding to each node, as it's the Admin certificate the ISE services will restart. So plan the change accordingly, ensure you don't do the PSNs at the sametime.

0 Helpful

Go to solution
Clem58
Level 3
Level 3
In response to Rob Ingram

‎09-22-2021 12:13 PM

Thanks Rob for your quick answer.

 

Our CA doesn't want to generate a signed certificate for each nodes.

 

But actually the CSRs generated contained the exact same fields, CN and SANs, so if we use only one of the CSRs exported and let CA generate the signed cert, we should be able to bind this same signed cert for each node, correct ?

 

Concerning planning the change, when the services will restart the ISE node should failover to the other Nodes I assume, so not so much risk ? Anyway we need to plan it.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Clem58

‎09-22-2021 12:45 PM - edited ‎09-22-2021 12:47 PM

@Clem58 

If the certificate has SAN entries for each of the ISE nodes that should be fine.

 

Assuming your NADs (switches, wifi controllers etc) have been configured with all your PSNs (RADIUS/TACACS) then yes if you restart the services on one PSN the others will continue to provide service. I'd still recommend performing the work in a quiet period.

 

FYI, Some services are not available when the PAN is down

 

ise-failover.PNG

 

HTH

Go to solution
Clem58
Level 3
Level 3
In response to Rob Ingram

‎09-23-2021 06:51 AM

Many thanks Rob for your comprehensive answer !
0 Helpful
Customers Also Viewed These Support Documents