Solved: ISE 3.3 system certificate update

MonkeyBear007 · ‎07-23-2025

ISE 3.3 system certificate update

We use public cert and what is recommended way to renewal cert has they are part of the deployment pri and secondary
they are not part of the PAN failover

does it matter if i gave it two of the common name of both ISE servers and upload to each ISE?
best practice to make it for each ISE server?

alison23taylor · ‎07-25-2025

Hello,
For ISE 3.3 public certificate renewal on a primary and secondary deployment, it is best practice to generate a separate Certificate Signing Request (CSR) for each ISE node. While you can include both ISE server common names as Subject Alternative Names (SANs) in a single certificate and upload it to both, creating individual certificates for each ISE server, each with its own FQDN as the Common Name (CN) and also including the other node's FQDN as a SAN (if desired for specific services), is generally recommended. This approach simplifies management, clearly identifies each node, and aligns with the principle of least privilege for certificates. Remember that changing the Admin certificate will require a service restart, but ISE 3.3 offers a "Scheduled Restart" feature to minimize disruption. Always back up your existing certificates and keys before performing renewals.

dog whistles

View solution in original post

Rob Ingram · ‎07-23-2025

@MonkeyBear007 what certificate usage do you refer to admin, eap, portal etc?

It's common to use the same certificate (wildcard or multi SAN) certificate on the ISE nodes for EAP and Portal usage.

https://community.cisco.com/t5/security-knowledge-base/how-to-implement-digital-certificates-in-ise/ta-p/3630897

Have a look at pages 31-37 https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2024/pdf/BRKSEC-2234.pdf

MonkeyBear007 · ‎07-23-2025

We use it for Admin, EAP authentication and portal
I was thinking for ISE1 ISE1.domain.com for common for ISE1
subject alternative name: ISE1, ISE2, IP address and DSN server name and etc..
for ISE2 ISE2.domain.com for common for ISE2
subject name ISE1 and ISE2 and etc
subject alternative name: ISE1, ISE2, IP address and DSN server name and etc..

Rob Ingram · ‎07-23-2025

@MonkeyBear007 did you look at the ciscolive presentation and under the scenario of using wildcard or multiSAN certificate?

MonkeyBear007 · ‎07-23-2025

I did training and you can have problem using wild cards.
I don't security will like idea of wild card
I though you can use intune to force to trust a cert

Rob Ingram · ‎07-23-2025

@MonkeyBear007 read the official cisco live presentation above, it explains a scenario where you may wish to use the same certificate (a wildcard or multi-SAN) on all of the PSNs if a client is authenticated by different PSN. The issue I refer to is specific to apple devices though, if it is not applicable to your environment then deploy individual certificates to each node.

alison23taylor · ‎07-25-2025

Hello,
For ISE 3.3 public certificate renewal on a primary and secondary deployment, it is best practice to generate a separate Certificate Signing Request (CSR) for each ISE node. While you can include both ISE server common names as Subject Alternative Names (SANs) in a single certificate and upload it to both, creating individual certificates for each ISE server, each with its own FQDN as the Common Name (CN) and also including the other node's FQDN as a SAN (if desired for specific services), is generally recommended. This approach simplifies management, clearly identifies each node, and aligns with the principle of least privilege for certificates. Remember that changing the Admin certificate will require a service restart, but ISE 3.3 offers a "Scheduled Restart" feature to minimize disruption. Always back up your existing certificates and keys before performing renewals.

dog whistles

MonkeyBear007 · ‎07-25-2025

thank you

MonkeyBear007 · ‎07-28-2025

is it recommended to do the primary first than do secondary for the ISE cert?