12-21-2020 11:27 AM - edited 12-21-2020 11:30 AM
Hello all,
My root CA is start to expire in ISE, and i can not change the certificate on the other deployments. Do i need to Deregister them in order to upload the new one in all the nodes? Or is it done via Primary one?
Solved! Go to Solution.
12-22-2020 09:05 AM
Assuming:
1) The nodes system certificate is still valid and trusted by your PAN
2) They are synced up to your PAN within the deployment
Then you can issue new ones via the PAN. This is done via issuing a CSR request for the nodes via PAN, filling them in, issuing a new certificate based on the CSRs with your CA and then binding each certificate to its CSR. After you've done this you can delete the old system certificates via the PAN if they are no longer needed.
If they are expired that's a different issue. I know that a system certificate is generated on ISE install (can be done via CLI), but if it's expired then it perhaps you can't add it to the trust store (hopefully someone can correct me if you can). If the certificate can't be trusted, you can't generate or import a new certificate if the node if part of a deployment. In this case you'd have to reset the application via CLI to make it a standalone with a new certificate and rejoin it to the PAN.
12-22-2020 09:05 AM
Assuming:
1) The nodes system certificate is still valid and trusted by your PAN
2) They are synced up to your PAN within the deployment
Then you can issue new ones via the PAN. This is done via issuing a CSR request for the nodes via PAN, filling them in, issuing a new certificate based on the CSRs with your CA and then binding each certificate to its CSR. After you've done this you can delete the old system certificates via the PAN if they are no longer needed.
If they are expired that's a different issue. I know that a system certificate is generated on ISE install (can be done via CLI), but if it's expired then it perhaps you can't add it to the trust store (hopefully someone can correct me if you can). If the certificate can't be trusted, you can't generate or import a new certificate if the node if part of a deployment. In this case you'd have to reset the application via CLI to make it a standalone with a new certificate and rejoin it to the PAN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide