Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
341
Views
3
Helpful
5
Replies

ISE 2 node deployment - admin certificate not trusted

Go to solution
dusansim
Level 1
Level 1

‎10-22-2025 03:02 AM

Hello.

I have a two node ISE setup, running version 3.0.0.458. Both nodes have administration, monitoring and policy service personas. There are 2 certificates used:

- self signed for Admin, Portal

- internal CA issued certificate for RADIUS DTLS, EAP Authentication

The secondary node self signed certificate was expiring, I generated new self signed certificate and lost admin control over the node. The nodes are still connected, however I am not able to manage it via the primary node GUI and the only thing I can do on the secondary node is to promote it to the Standalone node.

What is the correct approach to fix the situation? I was thinking of changing role of the secondary node to standalone to get admin access, deregister secondary node from the primary GUI, then register it again to trust its new self signed certificate.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎10-22-2025 04:30 PM

Hi @dusansim 

Probably de-register and re-register is the way to go.

In future, instead of regenerating an ISE self-signed cert, you should rather edit them and extend the lifespan. example below. This is possible because the cert simply gets it's valid from and valid to dates updated.

ArneBier_0-1761175545670.png

 

As for using self-signed for Admin - I agree with @ahollifield - it's ugly because of the browser warnings - at least use your company PKI to create those.

I can also see from some organisation's point of view, that updating the ISE admin cert is a PAIN. Some organisations have a 1 year policy, and that causes a lot of work and disruption - take a large deployment and then you can spend some hours just with this task.  Using a public CA is also not the solution, because of cost, and the fact that those cert lifetimes are 1 year, and will decrease steadily over the coming years.

Thus: Having self-signed certs for a very long time is an approach I have seen customers take, when they can't afford the downtime.  Seems reasonable to me.

 

View solution in original post

5 Replies 5

Go to solution
ahollifield
VIP
VIP

‎10-22-2025 10:06 AM

Why are you using self-signed certificates? Also why a two node deployment, and not three? 

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/identity-service-engine-software-3-0.html 

0 Helpful

Go to solution
dusansim
Level 1
Level 1
In response to ahollifield

‎10-24-2025 04:21 AM

These are good questions and should be answered by the person who designed and implemented the solution. Thank you for pointing out the EOS date. 

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎10-22-2025 04:30 PM

Hi @dusansim 

Probably de-register and re-register is the way to go.

In future, instead of regenerating an ISE self-signed cert, you should rather edit them and extend the lifespan. example below. This is possible because the cert simply gets it's valid from and valid to dates updated.

ArneBier_0-1761175545670.png

 

As for using self-signed for Admin - I agree with @ahollifield - it's ugly because of the browser warnings - at least use your company PKI to create those.

I can also see from some organisation's point of view, that updating the ISE admin cert is a PAIN. Some organisations have a 1 year policy, and that causes a lot of work and disruption - take a large deployment and then you can spend some hours just with this task.  Using a public CA is also not the solution, because of cost, and the fact that those cert lifetimes are 1 year, and will decrease steadily over the coming years.

Thus: Having self-signed certs for a very long time is an approach I have seen customers take, when they can't afford the downtime.  Seems reasonable to me.

 

Go to solution
dusansim
Level 1
Level 1
In response to Arne Bier

‎10-24-2025 04:25 AM

Hi Arne.

Thank you for the tip on prolonging the expiration TTL. Is it OK to use the same local CA signed certificate for all purposes, or should I sign one for Admin purpose and the other one for the rest?

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to dusansim

‎10-26-2025 01:21 PM

In your case, I would use the ISE self-signed cert for Admin, and leave the other fields unticked.

In my deployments, I don't use self-signed certs for anything (I would use corp PKI signed for Admin, EAP and sponsor portals) and public CA for guest portals. And to avoid cert expiration warnings, I tend to extend all the remaining self-signed certs by 10 years or so, using the edit feature.

 

Customers Also Viewed These Support Documents