02-08-2024 05:51 AM
It is time again for annual Certificate renewal. Just wanted to see is there a way to generate a CSR and have the new certificate exist without replacing the existing? Seems like last time it just replaced the certificate once I generated the certificate with the CSR and restarted all the nodes. I would prefer just to have the certificate waiting and I manually switch it out for the different services.
Solved! Go to Solution.
02-08-2024 12:24 PM
Yes you can do that - when you bind the cert with the CSR, just don't tick any boxes (like Admin, EAP, etc.) - it will install the cert in the status of "Not used" - you can then edit that cert later, and tick the relevant boxes - that will activate its status.
02-08-2024 12:24 PM
Yes you can do that - when you bind the cert with the CSR, just don't tick any boxes (like Admin, EAP, etc.) - it will install the cert in the status of "Not used" - you can then edit that cert later, and tick the relevant boxes - that will activate its status.
02-12-2024 06:08 AM
Seems like last time I tried that but much to my surprise it replaced the existing certificate and restarted all the nodes. This was on 2.x so maybe I will see something different on 3.2.
02-12-2024 02:14 PM
That behaviour still exists in ISE 3.2. There is enhancement in 3.3 that allows you to schedule the restart of the nodes for a later time/date.
https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/release_notes/b_ise_33_RN.html#admin_cert_controlled_app_restart
02-12-2024 09:13 PM
If you don't use posture and if you don't make creative use of portals the impact is very low, ise restarts application server service only on each node, one at a time.
I've just updated admin certificate on a 15 nodes deployment during business hours and there was no user complains at all.
However doing it during business hours is quite a risk, if something goes wrong you may have troubles on one or more nodes, but in this case I had no choice and with an open tac case ready to be claimed I decided to take the risk and all went fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide