Solved: Re: ISE certificates renewal procedure

REJR77 · ‎05-19-2022

Hi,

I need to renew Admin / EAP / PxGRid certificates on my ISE deployment (2 PAN / 2PSN), that would expire at the same date

I've been throught this article
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217191-configuration-guide-to-certificate-renew.html#anc9

I understand that I can pre-install the new Certificates before the expiration.(status will be Not In Use)

To activate the new ones, does it mean we have to:
- few days before expiration, Edit the new cert, tick the corresponding Usage
- Apply
- Restart Services (if Admin)

Is there an order to follow?
I would start with the EAP certs since there will be no service restart then Admin certs.

Then what about the Admin cert?
- Should we do first the Primary PAN / Secondary PAN or PSN?

All certs are signed by an internal CA

Thanks

ahollifield · ‎05-20-2022

Your plan should work fine, just be mindful of the service restart for the admin certificate.

View solution in original post

ahollifield · ‎05-19-2022

Are you planning on using separate certificates for EAP and admin now? I would personally activate both roles during the same maintenance window but it really shouldn't matter the order here. Just keep in mind the service restarts.

REJR77 · ‎05-20-2022

Hi,

No Admin, EAP and PxGrid certificates are all different

ahollifield · ‎05-20-2022

Your plan should work fine, just be mindful of the service restart for the admin certificate.