Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
507
Views
2
Helpful
4
Replies

ISE certificate renewal

Go to solution
charliey_2000
Level 1
Level 1

‎02-08-2024 05:51 AM

It is time again for annual Certificate renewal. Just wanted to see is there a way to generate a CSR and have the new certificate exist without replacing the existing?  Seems like last time it just replaced the certificate once I generated the certificate with the CSR and restarted all the nodes.  I would prefer just to have the certificate waiting and I manually switch it out for the different services.  

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎02-08-2024 12:24 PM

Yes you can do that - when you bind the cert with the CSR, just don't tick any boxes (like Admin, EAP, etc.) - it will install the cert in the status of "Not used" - you can then edit that cert later, and tick the relevant boxes - that will activate its status.

View solution in original post

4 Replies 4

Go to solution
Arne Bier
VIP
VIP

‎02-08-2024 12:24 PM

Yes you can do that - when you bind the cert with the CSR, just don't tick any boxes (like Admin, EAP, etc.) - it will install the cert in the status of "Not used" - you can then edit that cert later, and tick the relevant boxes - that will activate its status.

Go to solution
charliey_2000
Level 1
Level 1
In response to Arne Bier

‎02-12-2024 06:08 AM

Seems like last time I tried that but much to my surprise it replaced the existing certificate and restarted all the nodes.  This was  on 2.x so maybe I will see something different on 3.2.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to charliey_2000

‎02-12-2024 02:14 PM

That behaviour still exists in ISE 3.2. There is enhancement in 3.3 that allows you to schedule the restart of the nodes for a later time/date.
https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/release_notes/b_ise_33_RN.html#admin_cert_controlled_app_restart

 

0 Helpful

Go to solution
Massimo Baschieri
Level 3
Level 3
In response to Greg Gibbs

‎02-12-2024 09:13 PM

If you don't use posture and if you don't make creative use of portals the impact is very low, ise restarts application server service only on each node, one at a time.

I've just updated admin certificate on a 15 nodes deployment during business hours and there was no user complains at all.

However doing it during business hours is quite a risk, if something goes wrong you may have troubles on one or more nodes, but in this case I had no choice and with an open tac case ready to be claimed I decided to take the risk and all went fine.  

0 Helpful
Customers Also Viewed These Support Documents