Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8028
Views
0
Helpful
4
Replies

ISE Certificate Status via CLI

Go to solution
Scott Gillies
Level 1
Level 1

‎09-21-2018 07:43 AM

Hi

I am creating a list of precheck CLI commands to perform on an ISE to ensure rlevant info is recorded prior to an engineer making any changes.

 

Are there any CLI commands I could use that would return the current status of the certificates on an ISE? E.G. their expiry date..

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-21-2018 11:45 AM

Please see the information in the guide
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/cli_guide/b_ise_CLIReferenceGuide_24/b_ise_CLIReferenceGuide_24_chapter_00.html

I did a search in the book for certificate and it looks like the needed information is in there

View solution in original post

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Scott Gillies

‎09-22-2018 10:38 AM

For system certificates, I would recommend to export each of key and certificate pairs for each ISE nodes via ISE admin web UI for safe keeping. The certificates for the primary ISE admin node are also part of ISE CFG backups but no option to restore only the certificates.

The CLI has no direct option to do what you asked. We could get a list of local certificates in PEM format as part of show tech outputs. Or, you may simply make a cURL or WGET requests to the portals using particular certificates and parse them for validity.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-21-2018 11:45 AM

Please see the information in the guide
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/cli_guide/b_ise_CLIReferenceGuide_24/b_ise_CLIReferenceGuide_24_chapter_00.html

I did a search in the book for certificate and it looks like the needed information is in there
0 Helpful

Go to solution
Scott Gillies
Level 1
Level 1
In response to Jason Kunst

‎09-22-2018 05:43 AM

Thank you Jason.

Sorry but I would not say this is solved.

I have read the CLI guide which didn't solve my requirement. The only information that I can see is that it will display is the current Certificate Service status or how to Export/Import the current certs.

I was looking for a cli command that would perhaps list the system certs and their expiry dates. Can't imagine that this is beyond the wit of the Cisco coders to add such a command. If I was an engineer with only CLI access, say, I might want such info to troubleshoot a system.

I recon the only way to do such a check is via the GUI unless there are some undocumented CLI commands that would provide the info.

 

Again thanks.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Scott Gillies

‎09-22-2018 10:24 AM

I don’t believe there are any “undocumented” commands but will double check.
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Scott Gillies

‎09-22-2018 10:38 AM

For system certificates, I would recommend to export each of key and certificate pairs for each ISE nodes via ISE admin web UI for safe keeping. The certificates for the primary ISE admin node are also part of ISE CFG backups but no option to restore only the certificates.

The CLI has no direct option to do what you asked. We could get a list of local certificates in PEM format as part of show tech outputs. Or, you may simply make a cURL or WGET requests to the portals using particular certificates and parse them for validity.

0 Helpful
Customers Also Viewed These Support Documents