Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7271
Views
0
Helpful
6
Replies

ISE Certificate import/export

Go to solution
wileong
Cisco Employee
Cisco Employee

‎04-30-2019 12:55 AM

What is the best way to import/export all certificate including ISE signed certificate to another ISE cluster?

Backup/Restore does not includes ISE signed identity certificate.

 

Thanks

Wing Churn

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎05-02-2019 04:27 AM

Hey @wileong  - are you referring to the client certs that the internal ISE CA has generated?   if so then you are correct, these are not contained in the config backup - you need to export those via the CLI

 

see option 7 below (export Internal CA Store)

 

ise01/admin# application configure ise

Selection configuration option
[1]Reset M&T Session Database
[2]Rebuild M&T Unusable Indexes
[3]Purge M&T Operational Data
[4]Reset M&T Database
[5]Refresh Database Statistics
[6]Display Profiler Statistics
[7]Export Internal CA Store
[8]Import Internal CA Store
[9]Create Missing Config Indexes
[10]Create Missing M&T Indexes
[11]Enable/Disable ACS Migration
[12]Generate Daily KPM Stats
[13]Generate KPM Stats for last 8 Weeks
[14]Enable/Disable Counter Attribute Collection
[15]View Admin Users
[16]Get all Endpoints
[17]Enable/Disable Wifi Setup
[18]Reset Config Wifi Setup
[19]Establish Trust with controller
[20]Reset Context Visibility
[21]Synchronize Context Visibility With Database
[22]Generate Heap Dump
[23]Generate Thread Dump
[24]Force Backup Cancellation
[0]Exit

If on the other hand, you are referring to the ISE System Certificates (Admin/EAP/Portal/DTLS etc) then @Jason Kunst  is spot on - those you should not export - it's bad practice.  Rather have system cert created for your ISE nodes via a PKI (public or internal).  You can of course export them but it's not recommended, unless the cert is a wildcard cert, or a cert that has a SAN that allows the cert to be re-used elsewhere.  But again, in the case of self-signed certs, this should be avoided. 

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-30-2019 03:35 AM

You shouldn’t be using self-signed as there is likely no way to get them off. You should generate certificates that are known to the endpoints. Either from an internal CA or well known root. This way you have them and can apply them to another system
0 Helpful

Go to solution
wileong
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎05-02-2019 11:38 PM

Sorry for not being clear, I was referring to endpoint certificate generated using internal ISE CA.
0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to wileong

‎05-03-2019 07:00 PM

Endpoint cert should be part of config backup. But, even if it is not present on the new deployment, as part of PKI trust you can authenticate endpoints as long as your new ISE deployment trusts old CA for EAP. Only feature you will lose will be ability to revoke certificates.

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎05-02-2019 04:27 AM

Hey @wileong  - are you referring to the client certs that the internal ISE CA has generated?   if so then you are correct, these are not contained in the config backup - you need to export those via the CLI

 

see option 7 below (export Internal CA Store)

 

ise01/admin# application configure ise

Selection configuration option
[1]Reset M&T Session Database
[2]Rebuild M&T Unusable Indexes
[3]Purge M&T Operational Data
[4]Reset M&T Database
[5]Refresh Database Statistics
[6]Display Profiler Statistics
[7]Export Internal CA Store
[8]Import Internal CA Store
[9]Create Missing Config Indexes
[10]Create Missing M&T Indexes
[11]Enable/Disable ACS Migration
[12]Generate Daily KPM Stats
[13]Generate KPM Stats for last 8 Weeks
[14]Enable/Disable Counter Attribute Collection
[15]View Admin Users
[16]Get all Endpoints
[17]Enable/Disable Wifi Setup
[18]Reset Config Wifi Setup
[19]Establish Trust with controller
[20]Reset Context Visibility
[21]Synchronize Context Visibility With Database
[22]Generate Heap Dump
[23]Generate Thread Dump
[24]Force Backup Cancellation
[0]Exit

If on the other hand, you are referring to the ISE System Certificates (Admin/EAP/Portal/DTLS etc) then @Jason Kunst  is spot on - those you should not export - it's bad practice.  Rather have system cert created for your ISE nodes via a PKI (public or internal).  You can of course export them but it's not recommended, unless the cert is a wildcard cert, or a cert that has a SAN that allows the cert to be re-used elsewhere.  But again, in the case of self-signed certs, this should be avoided. 

 

0 Helpful

Go to solution
wileong
Cisco Employee
Cisco Employee
In response to Arne Bier

‎05-02-2019 11:39 PM

Thanks for the info.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents