Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1453
Views
0
Helpful
4
Replies

ISE Certificate format and installation

descalante2007
Level 1
Level 1

‎03-05-2013 04:14 PM - edited ‎03-10-2019 08:09 PM

My customer's PKI will generate a certificate for the ISE. They ask me if the format supported by the ISE is .cer or .pfx ... I think it is .cer but I'm not sure, can somebody confirm?

On the other hand, the information I had review indicates the ISE need a restart after the certificate installation, but the documentation usually refers to distribute installations. In this case, it is an standalone installation, is the reset necessary?

Regards.

Labels:
0 Helpful
4 Replies 4

Philip Vilhelmsson
Level 1
Level 1

‎03-06-2013 12:47 AM

I've used .cer.

It has been a while since I imported a cert to ISE, but I don't think I rebooted the device.

0 Helpful

descalante2007
Level 1
Level 1
In response to Philip Vilhelmsson

‎03-06-2013 09:55 AM

Thank you. I will advise the customer .. I hope we don't have any issue.

Regards.

0 Helpful

Naveen Kumar
Level 4
Level 4

‎03-07-2013 12:07 PM

Hello

Question:  My customer's PKI will generate a certificate for the ISE. They ask me if the format supported by the ISE is .cer or .pfx ... I think it is .cer but I'm not sure, can somebody confirm?
Answer:  Certificate format supported by ISE  is " .cer".

Question: On the other hand, the information I had review indicates the ISE need a restart after the certificate installation, but the documentation usually refers to distribute installations. In this case, it is an standalone installation, is the reset necessary?
Answer: In standalone installation not need to restart the ISE after importing the certificate.

But if you have deployed ISE in HA  then If you edit a certificate authority certificate on your primary Cisco ISE node, you must restart the secondary nodes connected to your primary Cisco ISE node. To restart the secondary nodes, from the command-line interface (CLI), enter the following commands:
a. application stop ise
b. application start ise

0 Helpful

edondurguti
Level 4
Level 4
In response to Naveen Kumar

‎03-08-2013 10:14 AM

Hi,

I have a question about this too, I have a certificate on my Primary ISE (let's say it's a self-signed certificate and users agree to ignore the certificate warning)

Scenario:

Primary ISE goes down for some reason - secondary should take over and here comes the problem, all the users that agreed to ignore the certificate warning (they have to in order to connect) are having problem because the secondary ISE doesn't have the same certificate as the primary and it's failing.

Another question would be: does it really matter if my ISE ip doesn't match the domain name that the certificate was issued to, I mean users can't even tell that before they connect cuz they wouldn't be able to check without having DNS.

Thanks in advance.

0 Helpful
Customers Also Viewed These Support Documents