ISE 2.4 to 2.7 Upgrade Journey - Regenerate the Root CA Chain

Americo Massotti · ‎02-14-2021

Hello everybody.

I’ll upgrade a ISE 2.4 Cluster of Five Nodes to 2.7

I’m reading the upgrade journey guide ( https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/upgrade_guide/Upgrade_Journey/Cisco_ISE_2_7_Upgrade_Journey.html ) and I have a question abount a point in the Post-Upgrade Tasks about Regenerate the Root CA Chain section:

Regenerate the Root CA Chain
In case of the following events, you must regenarate the root CA chain:

- Changing the domain name or hostname of your PAN or PSN.

- Restoring a backup on a new deployment.

- Promoting the old Primary PAN to to new Primary PAN post upgrade

My question it’s about the last bullet point.

I’ll perform the upgrade task following the suggested sequence of nodes in the guide.

So the first node on which perform the upgrade will be the Seconday Pan that will become the new Primary PAN in the new deployment (2.7).

The last nodes on which perform the upgrade will be the old Primary Pan (2.4) that will be the secondary Pan in the new Deployment (2.7).

However I would restore the role such as in the old deployment and I’ll promote the secondary Pan to Primary. So, for my understanding I’ll impact in the bullet point: Promoting the old Primary PAN to to new Primary PAN post upgrade

Is it correct my assumption? Should I regenerate the Root CA Chain ?

Thanks a lot for your support.

Americo

Marcelo Morais · ‎02-14-2021

Hi @Americo Massotti ,

yes, your understanding is correct.

Regenerate the Root CA Chain is an easy and important step.

To Regenerate the Root CA Chain:

In Administration > System > Certificates > Certificate Authority > Internal CA Settings:
 click Enable Certificate Authority
In Administration > System > Certificates > Certificate Management > Certificate Signing Request:
 click Generate Certificate Signing Request (CSR) ... in Use, select ISE Root CA

Hope this helps !!!

Americo Massotti · ‎02-14-2021

Hi Marcelo, thanks a lot for your reply.

So this mean that after the upgrade I should sent the new CSR to the team that manage the CA for signing?

It’s the only way?
What I mean, I see a lot of video about ISE Upgrade. And after the last step (Upgrade the old PAN to the new deployment and promote it to become again Primary Pan) nobody talk about this important step.

Thanks once again.

Americo

Marcelo Morais · ‎02-14-2021

Hi @Americo Massotti ,

it's recommended to Regenerate the Root CA Chain, because there is a possibility that you reach the following bug: CSCvp45528 Queue Link Error alarm generated after signing of ISE CA certificate by external Root CA.

Note:

1. I had this problem after upgrade ISE from 2.4 P10 to 2.7 P2.

2. more info at: ISE 2.6 Alarm "Queue Link Error".

Hope this helps !!!

Americo Massotti · ‎02-14-2021

Hello Marcelo, thanks once again.

So for my understanding, this workaround it's a self-sufficient step?

What I mean, when I generate a new CSR from Primary Pan usually should be signed by an external authority.

However the step to click on "Replace ISE root CA Certificate Chain" it's self-sufficent without the need to send the new one to an external authority to be signed?

I understand?

PS: I should perform the upgrade from your same start release to 2.7 P2

Thanks once again.

Americo

Marcelo Morais · ‎02-15-2021

Hi @Americo Massotti ,

yes, your understanding is correct, it's self sufficient.

Have a nice one.