ISE 3.0 upgrade 3.2: backup ISE certificate authority / issued certs

GERALD LECAILLIER · ‎03-05-2024

Hello

We have a HA deployment, ISE are self signed and we have issued about 40 certs for devices.

See the screenshot.

What is the best way to upgrade to avoid to reinstall the certs on the devices.

If I use the CLI "application configure ise":

S2-AB-SEISE-011-001/admin# application configure ise

Selection configuration option
[1]Reset M&T Session Database
[2]Rebuild M&T Unusable Indexes
[3]Purge M&T Operational Data
[4]Reset M&T Database
[5]Refresh Database Statistics
[6]Display Profiler Statistics
[7]Export Internal CA Store
[8]Import Internal CA Store

Will it work with [7]Export Internal CA Store ?

Is it mandatory to export the System Cert by GUI ?

Or on the new 3.2, can we use a fresh install of system certifcates and import the Internal CA Store ?

Thanks a lot,

Regards

Arne Bier · ‎03-07-2024

Very good question and one that deserves an answer by someone who has done this - or tested in the lab. I currently don't have a lab to test the Internal CA export / import. But if the end result of your importing your exported CA into a clean ISE 3.2 node, then your internal CA should look the same as your screenshot. In other words, the importing of the CA database will ADD the original Root, Node, Endpoint and OCSP certs. I think the factory ISE 3.2 installed certs will remain in place, but will not be the active ones.

As for the PSN EAP System Cert, that you must export via the GUI (export the private key too) - and then import that cert+key into your new ISE 3.2 PSN responsible for the EAP role.