Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
310
Views
0
Helpful
10
Replies

ISE certificates

Go to solution
alliasneo1
Level 1
Level 1

‎11-03-2025 07:24 AM

Hi, If you have 2 cisco nodes in a cluster, one primary and one secondary and I need to update the System certificate that has a bind between the nodes. How do I do this? Do I need to take the secondary out of the deployment and generate a certificate locally on that node as well or can I just do this on the primary?

When I log into the secondary, I don't have an option to create a certificate. I have the menu for Certificate Signing Requests but the menu is blank.  I have just noticed that the system certificates on the secondary are different to the primary. The primary has a certificate and the friendly name is the certificate name-bind. and it has both node FQDN's in the friendly name. This cert is not present on the secondary.

Primary System Cert:

alliasneo1_0-1762183459369.png

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP
In response to alliasneo1

‎11-06-2025 04:39 AM

You got it right. The only couple things is that you mentioned "Generate a Self Signed Certificate in ISE", I think you meant to say you generated the CSR on ISE?

The other thing, on step 6, you mentioned you would select admin, EAP, and TACACS. TACACS won't be part of this. The way how I would do it would be to select EAP authentication, and once the cert is imported on both nodes, I go and edit it individually adding the portal and admin usage because I think if you try to select the admin usage while you are binding the cert I think it would return an error.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Arne Bier
VIP
VIP

‎11-03-2025 02:33 PM

Are you using ISE self-signed certificates for this? If so, then there is no need to create a signing request - you can simply select each cert and Edit it - at the bottom of the screen you can tick the box "Renewal Period" and then select the number of days/months/years you want to renew the cert for.

I don't know if renewing the cert's date will also force an application restart - just bear that in mind - in the case where the Admin cert is replaced, it will always cause an application restart (and kick you out of the GUI if you are updating the Admin cert of the Primary PAN).

If you wanted to create ISE Admin and EAP certs from your organisation's PKI, then you would create a CSR for each ISE node, and have the certificate created on your PKI - once you have the cert, you "bind" it to the CSR in ISE. The PKI approach is the recommended approach since you then avoid certificate warnings in browsers etc.

 

0 Helpful

Go to solution
alliasneo1
Level 1
Level 1
In response to Arne Bier

‎11-04-2025 02:57 AM

Hi, how wouldI know if I'm using self-signed certs? I don't think I am as I remember exporting from ISE and using that certificate on the Microsoft certificate server to generate a certificate that I then imported back in. The 'issued by' column has our organisation name-authority-A.

 

So if I'm understanding this correctly, I would export the certificate, generate a new cert on the microsoft certificate server and then import that new cert back into ISE?

 

0 Helpful

Go to solution
PSM
Level 1
Level 1

‎11-04-2025 12:05 AM

@alliasneo1 - No, you don't need to break the cluster to do any certificate management task.

- Everything @Arne Bier advised will be performed on primary PAN node.

As @Arne Bier mentioned enterprise PKI certificates are recommended. If you don't want 2 separate  certificates for both nodes, you can mention FQDN of both nodes in SAN field in single CSR.

0 Helpful

Go to solution
alliasneo1
Level 1
Level 1
In response to PSM

‎11-04-2025 02:59 AM

Hi,

 

On the primary, if I tick the certificate and choose 'edit' I can see both the primary and secondary FQDN's and ip addresses are listed so I think the certificate has both node details. So I'm guessing I would export this cert, import it on the Microsoft certificate server and generate a new cert and then import that one back into ISE?

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎11-04-2025 01:42 AM

Probably the easiest way to check if the certificate you have on the primary PAN is valid for the secondary or not is to export it from the primary and check the SAN values, if you have both nodes FQDNs and hopefully their IP addresses then that cert can be imported and used on both nodes. The way to renew the cert depends on if you want to use your internal PKI or not. As already mentioned using internal PKI is highly recommended. To do so, you just need to generate the CSRs from the primary PAN selecting both nodes and then you'll have to populate both nodes FQDNs and IP addresses in the SAN section. For the certificate usage you can select EAP-Authentication and once you have the new cert you can import it into ISE by binding it to the CSRs you already created. Once the certificate is imported you can go and edit it adding the admin and portal usages.

0 Helpful

Go to solution
alliasneo1
Level 1
Level 1
In response to Aref Alsouqi

‎11-04-2025 02:52 AM

Hi, thanks for the detailed reply that's really helpful. On the primary, if I tick the certificate and choose 'edit' I can see both the primary and secondary FQDN's and ip addresses are listed so I think the certificate has both node details listed which is good. I'll get this exported and over to our server team so they can generate the new cert and then I can get it imported.

thanks

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to alliasneo1

‎11-04-2025 03:11 AM

You're welcome. If you see your organization name authority as the issuer then that cert has been issued by your internal PKI. Before you can issue the new certificate you need to generate the CSRs on ISE, and then hand them over to the infra team to issue the cert. Please take a look at this link:

Install a Third-Party CA-signed Certificate in ISE - Cisco

0 Helpful

Go to solution
alliasneo1
Level 1
Level 1
In response to Aref Alsouqi

‎11-06-2025 03:36 AM

okay so the steps I have taken so far are:

Generate a Self Signed Certificate in ISE

Passed that to the server team

They have generated a certificate and sent it back to me

 

Are my next steps:

1. Log in to Primary Admin Node (PAN).


2. Navigate to Administration → System → Certificates → System Certificates → Certificate Signing Requests.

4. Select the CSR previously created and click on Bind Certificate.

5. Select the new certificate location and ISE binds the certificate to the private key created and stored in the database.

6. Select Admin, EAP and Tacacs for the usage.

7. Services will restart

8. Check authentication is working etc.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to alliasneo1

‎11-06-2025 04:39 AM

You got it right. The only couple things is that you mentioned "Generate a Self Signed Certificate in ISE", I think you meant to say you generated the CSR on ISE?

The other thing, on step 6, you mentioned you would select admin, EAP, and TACACS. TACACS won't be part of this. The way how I would do it would be to select EAP authentication, and once the cert is imported on both nodes, I go and edit it individually adding the portal and admin usage because I think if you try to select the admin usage while you are binding the cert I think it would return an error.

0 Helpful

Go to solution
alliasneo1
Level 1
Level 1
In response to Aref Alsouqi

‎11-06-2025 04:56 AM

generated the CSR on ISE - Yes that's right

That's perfect, thank you for your help

0 Helpful
Customers Also Viewed These Support Documents