Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
427
Views
0
Helpful
5
Replies

ise certificate

muhsi_2015
Level 1
Level 1

‎01-31-2017 01:18 AM - edited ‎03-11-2019 12:24 AM

Hi,
I was using an internal ca for certificates .Unfortunately it is crahed and cannot recoverable .
Using EAP and web authntication ( for guest portal)
Need to add the certificate from the new CA .
Do I need to break the cluster first ?
Or what is the procedure
if yes how

Thanks

Labels:
0 Helpful
5 Replies 5

Rahul Govindan
VIP Alumni
VIP Alumni

‎01-31-2017 05:15 AM

No need to break the deployment to add the new certificate. You can follow the steps below:

1) Generate CSR on all nodes and send to CA. IF you are using a wildcard, generate CSR on one node and send it to CA.

2) Obtain the issued cert and install it on all nodes. Do NOT replace the old cert yet.

3) Import the new CA certificate in the Trusted store on the primary node in deployment alone.

4) Change the system cert to new cert on all other nodes. This will force a restart of the services. Wait till they come back up successfully in the deployment.

5) Change the system cert of primary node. This will also cause restart of services. Once it comes back all nodes in your deployment should have new cert.

0 Helpful

muhsi_2015
Level 1
Level 1
In response to Rahul Govindan

‎01-31-2017 08:21 AM

Hi,

Now the certificate hierarchy has changed 

Root , subordinate CA ,then certificate 

ROOT-CA
INTERNAL-CA
certificate 

Before there was only rootca (microsoft ).

How to accomodate this change 

Thanks

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to muhsi_2015

‎01-31-2017 08:28 AM

Install both Root and subordinate CA certs into the Trusted cert store. Nothing else should change.

0 Helpful

muhsi_2015
Level 1
Level 1
In response to Rahul Govindan

‎02-02-2017 03:20 AM

Hi,

 " 1) Generate CSR on all nodes and send to CA. IF you are using a wildcard, generate CSR on one node and send it to CA. " 

I don't have the import or export option in secondary node for exporting or importing certificates . And No option for CSR in the secondary .

Second thing , the above step is same If I am changing from self signed certificate to internal CA

Thanks

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to muhsi_2015

‎02-02-2017 04:46 AM

Sorry, I should have been more clear. The export and import functionality for all nodes is available only on the the primary node. Check the new primary admin wildcard cert and click Export. Click on import and select the secondary node to import to that node.

Same goes with CSR, you have to generate CSR for all nodes using the GUI of the primary node.

0 Helpful
Customers Also Viewed These Support Documents