12-12-2023 03:54 AM
Hi
If i Generate a new self signed Cert on the primary node and use for multi use one being Admin would the application restart affect the secondary node? or would this carry on serving Clients as normal.??
Thanks
Solved! Go to Solution.
12-12-2023 04:01 AM
If the clients have valid certs they should not be effected.
what kind of cert you replacing, admin certs ? - adding new Cert does not need ISE to reload.
12-12-2023 08:07 AM
@benolyndav generally yes you can as long as it's trusted by other nodes etc. Preferably you'd have at least a dedicated certificate for admin role IMO.
12-12-2023 04:01 AM
If the clients have valid certs they should not be effected.
what kind of cert you replacing, admin certs ? - adding new Cert does not need ISE to reload.
12-12-2023 04:24 AM
Hi
Sorry pressed the wrong button didnt want to accept solution, its self signed certs and are multi use admin being one of the uses,
also I do see there is a button to renew the cert is that the easiest way to renew>?
thanks
12-12-2023 04:42 AM
, its self signed certs and are multi use admin being one of the uses,
also I do see there is a button to renew the cert is that the easiest way to renew>?
is the self signed certs you renewing or you replacing ?
what kind of deployment, what ISE version ?
have you checked the document posted above - in related to renewals of certs.
12-12-2023 04:04 AM
can I know what service for Client you use in Secondary Node ?
MHM
12-12-2023 04:23 AM
friend they will effect be careful.
Admin Cert. in distribute mode is important
check before apply any change
MHM
12-12-2023 04:31 AM
When you set up a deployment, the node that you designate as the Primary Administration Node (PAN) becomes the Root CA. The PAN has a Root CA certificate and a Node CA certificate that is signed by the Root CA.
When you register a Secondary Administration Node to the PAN, a Node CA certificate is generated and is signed by the Root CA on the Primary Administration Node.
Any Policy Service Node (PSN) that you register with the PAN is provisioned an Endpoint CA and an OCSP certificate signed by the Node CA of the PAN. The Policy Service Nodes (PSNs) are subordinate CAs to the PAN. When you use the ISE CA, the Endpoint CA on the PSN issues the certificates to the endpoints that access your network.
check this guide, see ISE root CA in PAN
MHM
12-12-2023 04:54 AM
hi
its the self signed certs that have expired onthe primary admin and secondary admin nodes, theses certs are used for DTLS, Admin, Portal, eap auth.
thanks
12-12-2023 05:53 AM
You can start with new Certs on Primary node and later secondary node, the document give you steps.
Client should not see any issue, as long as both system configured correctly to failover to other ISE when one ISE not reachable.
12-12-2023 04:59 AM
@benolyndav applying a new admin certificate to a node will restart the services on that node only. As long as the secondary node provides the same services (RADIUS, TACACS etc) then the clients will continue to be authenticated. It is important the secondary node will need to trust the Primary node's new admin certificate.
If you also use the new certificate for EAP (and any other function) then those clients will need to trust the new certificate, when using a self-signed certificate this won't be easy. The recommendation is to use an internal CA for admin/EAP.
12-12-2023 06:53 AM
Hi
so the psn nodes are using a cert from an external CA for EAP which is i gues why clients are ok, the Primary admin node is as mentioned using a self signed cert which has expired for admin, eap, portal, DTLS,
so if I generate a new self signed cert for the primary node or use the check box to renew which is the best way,?
then this new cer has to also be in the trusted certs along with all other nodes in the deployment?
Thanks
12-12-2023 06:58 AM
so if I generate a new self signed cert for the primary node or use the check box to renew which is the best way,?
if the Cert is new you need to add to Trusted store and amend as per requirement.
12-12-2023 07:37 AM
Hi Rob
Im thinking about possibly moving the admin use from the expired cert to a cert thats not expired, is this possible,?
Thanks
12-12-2023 07:40 AM
@benolyndav yes, just click the other certificate and select the usage as "Admin" and apply, the services will then restart. Ensure the other certificate is trusted by the other nodes.
12-12-2023 08:03 AM
Hi
So just being curious could I select any Cert thats being used for say pxgrid or ise messagin etc and add the Admin use to the Cert.?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide