04-30-2019 12:55 AM
What is the best way to import/export all certificate including ISE signed certificate to another ISE cluster?
Backup/Restore does not includes ISE signed identity certificate.
Thanks
Wing Churn
Solved! Go to Solution.
05-02-2019 04:27 AM
Hey @wileong - are you referring to the client certs that the internal ISE CA has generated? if so then you are correct, these are not contained in the config backup - you need to export those via the CLI
see option 7 below (export Internal CA Store)
ise01/admin# application configure ise Selection configuration option [1]Reset M&T Session Database [2]Rebuild M&T Unusable Indexes [3]Purge M&T Operational Data [4]Reset M&T Database [5]Refresh Database Statistics [6]Display Profiler Statistics [7]Export Internal CA Store [8]Import Internal CA Store [9]Create Missing Config Indexes [10]Create Missing M&T Indexes [11]Enable/Disable ACS Migration [12]Generate Daily KPM Stats [13]Generate KPM Stats for last 8 Weeks [14]Enable/Disable Counter Attribute Collection [15]View Admin Users [16]Get all Endpoints [17]Enable/Disable Wifi Setup [18]Reset Config Wifi Setup [19]Establish Trust with controller [20]Reset Context Visibility [21]Synchronize Context Visibility With Database [22]Generate Heap Dump [23]Generate Thread Dump [24]Force Backup Cancellation [0]Exit
If on the other hand, you are referring to the ISE System Certificates (Admin/EAP/Portal/DTLS etc) then @Jason Kunst is spot on - those you should not export - it's bad practice. Rather have system cert created for your ISE nodes via a PKI (public or internal). You can of course export them but it's not recommended, unless the cert is a wildcard cert, or a cert that has a SAN that allows the cert to be re-used elsewhere. But again, in the case of self-signed certs, this should be avoided.
04-30-2019 03:35 AM
05-02-2019 11:38 PM
05-03-2019 07:00 PM
Endpoint cert should be part of config backup. But, even if it is not present on the new deployment, as part of PKI trust you can authenticate endpoints as long as your new ISE deployment trusts old CA for EAP. Only feature you will lose will be ability to revoke certificates.
05-02-2019 04:27 AM
Hey @wileong - are you referring to the client certs that the internal ISE CA has generated? if so then you are correct, these are not contained in the config backup - you need to export those via the CLI
see option 7 below (export Internal CA Store)
ise01/admin# application configure ise Selection configuration option [1]Reset M&T Session Database [2]Rebuild M&T Unusable Indexes [3]Purge M&T Operational Data [4]Reset M&T Database [5]Refresh Database Statistics [6]Display Profiler Statistics [7]Export Internal CA Store [8]Import Internal CA Store [9]Create Missing Config Indexes [10]Create Missing M&T Indexes [11]Enable/Disable ACS Migration [12]Generate Daily KPM Stats [13]Generate KPM Stats for last 8 Weeks [14]Enable/Disable Counter Attribute Collection [15]View Admin Users [16]Get all Endpoints [17]Enable/Disable Wifi Setup [18]Reset Config Wifi Setup [19]Establish Trust with controller [20]Reset Context Visibility [21]Synchronize Context Visibility With Database [22]Generate Heap Dump [23]Generate Thread Dump [24]Force Backup Cancellation [0]Exit
If on the other hand, you are referring to the ISE System Certificates (Admin/EAP/Portal/DTLS etc) then @Jason Kunst is spot on - those you should not export - it's bad practice. Rather have system cert created for your ISE nodes via a PKI (public or internal). You can of course export them but it's not recommended, unless the cert is a wildcard cert, or a cert that has a SAN that allows the cert to be re-used elsewhere. But again, in the case of self-signed certs, this should be avoided.
05-02-2019 07:13 AM
05-02-2019 11:39 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide