cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
432
Views
0
Helpful
5
Replies

ise certificate

muhsi_2015
Level 1
Level 1

Hi,
I was using an internal ca for certificates .Unfortunately it is crahed and cannot recoverable .
Using EAP and web authntication ( for guest portal)
Need to add the certificate from the new CA .
Do I need to break the cluster first ?
Or what is the procedure
if yes how

Thanks

5 Replies 5

Rahul Govindan
VIP Alumni
VIP Alumni

No need to break the deployment to add the new certificate. You can follow the steps below:

1) Generate CSR on all nodes and send to CA. IF you are using a wildcard, generate CSR on one node and send it to CA.

2) Obtain the issued cert and install it on all nodes. Do NOT replace the old cert yet.

3) Import the new CA certificate in the Trusted store on the primary node in deployment alone.

4) Change the system cert to new cert on all other nodes. This will force a restart of the services. Wait till they come back up successfully in the deployment.

5) Change the system cert of primary node. This will also cause restart of services. Once it comes back all nodes in your deployment should have new cert.

Hi,

Now the certificate hierarchy has changed 

Root , subordinate CA ,then certificate 

ROOT-CA
INTERNAL-CA
certificate 

Before there was only rootca (microsoft ).

How to accomodate this change 

Thanks

Install both Root and subordinate CA certs into the Trusted cert store. Nothing else should change.

Hi,

 " 1) Generate CSR on all nodes and send to CA. IF you are using a wildcard, generate CSR on one node and send it to CA. " 

I don't have the import or export option in secondary node for exporting or importing certificates . And No option for CSR in the secondary .

Second thing , the above step is same If I am changing from self signed certificate to internal CA

Thanks

Sorry, I should have been more clear. The export and import functionality for all nodes is available only on the the primary node. Check the new primary admin wildcard cert and click Export. Click on import and select the secondary node to import to that node.

Same goes with CSR, you have to generate CSR for all nodes using the GUI of the primary node.