Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
241
Views
0
Helpful
7
Replies

ISE certificates

alliasneo1
Level 1
Level 1

‎11-03-2025 07:24 AM

Hi, If you have 2 cisco nodes in a cluster, one primary and one secondary and I need to update the System certificate that has a bind between the nodes. How do I do this? Do I need to take the secondary out of the deployment and generate a certificate locally on that node as well or can I just do this on the primary?

When I log into the secondary, I don't have an option to create a certificate. I have the menu for Certificate Signing Requests but the menu is blank.  I have just noticed that the system certificates on the secondary are different to the primary. The primary has a certificate and the friendly name is the certificate name-bind. and it has both node FQDN's in the friendly name. This cert is not present on the secondary.

Primary System Cert:

alliasneo1_0-1762183459369.png

 

0 Helpful
7 Replies 7

Arne Bier
VIP
VIP

‎11-03-2025 02:33 PM

Are you using ISE self-signed certificates for this? If so, then there is no need to create a signing request - you can simply select each cert and Edit it - at the bottom of the screen you can tick the box "Renewal Period" and then select the number of days/months/years you want to renew the cert for.

I don't know if renewing the cert's date will also force an application restart - just bear that in mind - in the case where the Admin cert is replaced, it will always cause an application restart (and kick you out of the GUI if you are updating the Admin cert of the Primary PAN).

If you wanted to create ISE Admin and EAP certs from your organisation's PKI, then you would create a CSR for each ISE node, and have the certificate created on your PKI - once you have the cert, you "bind" it to the CSR in ISE. The PKI approach is the recommended approach since you then avoid certificate warnings in browsers etc.

 

0 Helpful

alliasneo1
Level 1
Level 1
In response to Arne Bier

‎11-04-2025 02:57 AM

Hi, how wouldI know if I'm using self-signed certs? I don't think I am as I remember exporting from ISE and using that certificate on the Microsoft certificate server to generate a certificate that I then imported back in. The 'issued by' column has our organisation name-authority-A.

 

So if I'm understanding this correctly, I would export the certificate, generate a new cert on the microsoft certificate server and then import that new cert back into ISE?

 

0 Helpful

PSM
Level 1
Level 1

‎11-04-2025 12:05 AM

@alliasneo1 - No, you don't need to break the cluster to do any certificate management task.

- Everything @Arne Bier advised will be performed on primary PAN node.

As @Arne Bier mentioned enterprise PKI certificates are recommended. If you don't want 2 separate  certificates for both nodes, you can mention FQDN of both nodes in SAN field in single CSR.

0 Helpful

alliasneo1
Level 1
Level 1
In response to PSM

‎11-04-2025 02:59 AM

Hi,

 

On the primary, if I tick the certificate and choose 'edit' I can see both the primary and secondary FQDN's and ip addresses are listed so I think the certificate has both node details. So I'm guessing I would export this cert, import it on the Microsoft certificate server and generate a new cert and then import that one back into ISE?

0 Helpful

Aref Alsouqi
VIP
VIP

‎11-04-2025 01:42 AM

Probably the easiest way to check if the certificate you have on the primary PAN is valid for the secondary or not is to export it from the primary and check the SAN values, if you have both nodes FQDNs and hopefully their IP addresses then that cert can be imported and used on both nodes. The way to renew the cert depends on if you want to use your internal PKI or not. As already mentioned using internal PKI is highly recommended. To do so, you just need to generate the CSRs from the primary PAN selecting both nodes and then you'll have to populate both nodes FQDNs and IP addresses in the SAN section. For the certificate usage you can select EAP-Authentication and once you have the new cert you can import it into ISE by binding it to the CSRs you already created. Once the certificate is imported you can go and edit it adding the admin and portal usages.

0 Helpful

alliasneo1
Level 1
Level 1
In response to Aref Alsouqi

‎11-04-2025 02:52 AM

Hi, thanks for the detailed reply that's really helpful. On the primary, if I tick the certificate and choose 'edit' I can see both the primary and secondary FQDN's and ip addresses are listed so I think the certificate has both node details listed which is good. I'll get this exported and over to our server team so they can generate the new cert and then I can get it imported.

thanks

0 Helpful

Aref Alsouqi
VIP
VIP
In response to alliasneo1

‎11-04-2025 03:11 AM

You're welcome. If you see your organization name authority as the issuer then that cert has been issued by your internal PKI. Before you can issue the new certificate you need to generate the CSRs on ISE, and then hand them over to the infra team to issue the cert. Please take a look at this link:

Install a Third-Party CA-signed Certificate in ISE - Cisco

0 Helpful
Customers Also Viewed These Support Documents