Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1371
Views
5
Helpful
1
Replies

ISE - Certificates - Trust

Go to solution
TiUM
Level 1
Level 1

‎12-21-2020 11:27 AM - edited ‎12-21-2020 11:30 AM

Hello all,

My root CA is start to expire in ISE, and i can not change the certificate on the other deployments. Do i need to Deregister them in order to upload the new one in all the nodes? Or is it done via Primary one?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nadav
Level 7
Level 7

‎12-22-2020 09:05 AM

Assuming:

1) The nodes system certificate is still valid and trusted by your PAN

2) They are synced up to your PAN within the deployment

 

Then you can issue new ones via the PAN. This is done via issuing a CSR request for the nodes via PAN, filling them in, issuing a new certificate based on the CSRs with your CA and then binding each certificate to its CSR. After you've done this you can delete the old system certificates via the PAN if they are no longer needed.

 

If they are expired that's a different issue. I know that a system certificate is generated on ISE install (can be done via CLI), but if it's expired then it perhaps you can't add it to the trust store (hopefully someone can correct me if you can). If the certificate can't be trusted, you can't generate or import a new certificate if the node if part of a deployment. In this case you'd have to reset the application via CLI to make it a standalone with a new certificate and rejoin it to the PAN. 

View solution in original post

1 Reply 1

Go to solution
Nadav
Level 7
Level 7

‎12-22-2020 09:05 AM

Assuming:

1) The nodes system certificate is still valid and trusted by your PAN

2) They are synced up to your PAN within the deployment

 

Then you can issue new ones via the PAN. This is done via issuing a CSR request for the nodes via PAN, filling them in, issuing a new certificate based on the CSRs with your CA and then binding each certificate to its CSR. After you've done this you can delete the old system certificates via the PAN if they are no longer needed.

 

If they are expired that's a different issue. I know that a system certificate is generated on ISE install (can be done via CLI), but if it's expired then it perhaps you can't add it to the trust store (hopefully someone can correct me if you can). If the certificate can't be trusted, you can't generate or import a new certificate if the node if part of a deployment. In this case you'd have to reset the application via CLI to make it a standalone with a new certificate and rejoin it to the PAN. 

Customers Also Viewed These Support Documents