03-05-2013 04:14 PM - edited 03-10-2019 08:09 PM
My customer's PKI will generate a certificate for the ISE. They ask me if the format supported by the ISE is .cer or .pfx ... I think it is .cer but I'm not sure, can somebody confirm?
On the other hand, the information I had review indicates the ISE need a restart after the certificate installation, but the documentation usually refers to distribute installations. In this case, it is an standalone installation, is the reset necessary?
Regards.
03-06-2013 12:47 AM
I've used .cer.
It has been a while since I imported a cert to ISE, but I don't think I rebooted the device.
03-06-2013 09:55 AM
Thank you. I will advise the customer .. I hope we don't have any issue.
Regards.
03-07-2013 12:07 PM
Hello
Question: My customer's PKI will generate a certificate for the ISE. They ask me if the format supported by the ISE is .cer or .pfx ... I think it is .cer but I'm not sure, can somebody confirm?
Answer: Certificate format supported by ISE is " .cer".
Question: On the other hand, the information I had review indicates the ISE need a restart after the certificate installation, but the documentation usually refers to distribute installations. In this case, it is an standalone installation, is the reset necessary?
Answer: In standalone installation not need to restart the ISE after importing the certificate.
But if you have deployed ISE in HA then If you edit a certificate authority certificate on your primary Cisco ISE node, you must restart the secondary nodes connected to your primary Cisco ISE node. To restart the secondary nodes, from the command-line interface (CLI), enter the following commands:
a. application stop ise
b. application start ise
03-08-2013 10:14 AM
Hi,
I have a question about this too, I have a certificate on my Primary ISE (let's say it's a self-signed certificate and users agree to ignore the certificate warning)
Scenario:
Primary ISE goes down for some reason - secondary should take over and here comes the problem, all the users that agreed to ignore the certificate warning (they have to in order to connect) are having problem because the secondary ISE doesn't have the same certificate as the primary and it's failing.
Another question would be: does it really matter if my ISE ip doesn't match the domain name that the certificate was issued to, I mean users can't even tell that before they connect cuz they wouldn't be able to check without having DNS.
Thanks in advance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide