09-22-2021 03:18 AM - edited 09-22-2021 04:44 AM
Hello,
We have an ISE 2.4.0.357, on deployment we can see these nodes :
In the System Certificate we can see this certificate will expire soon, this certificate has one unique CN but SAN's with all the node's hostnames :
This same certificate is used for all nodes, excepting one node which has a self-signed certificate :
The idea is to renew these certificates with a common one for all nodes. I have generated CSR's for all nodes, basically only friendly names are changing :
So next step is, for each node, bind the signed certificate, signed by our internal CA, correct ?
Does that mean also, each node will restart its ISE services too ? As we will have to renew Admin certificate ?
Thanks by advance for your help,
Solved! Go to Solution.
09-22-2021 12:45 PM - edited 09-22-2021 12:47 PM
If the certificate has SAN entries for each of the ISE nodes that should be fine.
Assuming your NADs (switches, wifi controllers etc) have been configured with all your PSNs (RADIUS/TACACS) then yes if you restart the services on one PSN the others will continue to provide service. I'd still recommend performing the work in a quiet period.
FYI, Some services are not available when the PAN is down
HTH
09-22-2021 06:50 AM
@Clem58 Yes, the certificate would need binding to each node, as it's the Admin certificate the ISE services will restart. So plan the change accordingly, ensure you don't do the PSNs at the sametime.
09-22-2021 12:13 PM
Thanks Rob for your quick answer.
Our CA doesn't want to generate a signed certificate for each nodes.
But actually the CSRs generated contained the exact same fields, CN and SANs, so if we use only one of the CSRs exported and let CA generate the signed cert, we should be able to bind this same signed cert for each node, correct ?
Concerning planning the change, when the services will restart the ISE node should failover to the other Nodes I assume, so not so much risk ? Anyway we need to plan it.
09-22-2021 12:45 PM - edited 09-22-2021 12:47 PM
If the certificate has SAN entries for each of the ISE nodes that should be fine.
Assuming your NADs (switches, wifi controllers etc) have been configured with all your PSNs (RADIUS/TACACS) then yes if you restart the services on one PSN the others will continue to provide service. I'd still recommend performing the work in a quiet period.
FYI, Some services are not available when the PAN is down
HTH
09-23-2021 06:51 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide