Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1034
Views
8
Helpful
15
Replies

Ise Deployment Question

Go to solution
benolyndav
Level 4
Level 4

‎12-12-2023 03:54 AM

Hi

If i Generate a new self signed Cert on the primary node and use for multi use one being Admin would the application restart affect the secondary node? or would this carry on serving Clients as normal.??

 

Thanks

2 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎12-12-2023 04:01 AM

If the clients have valid certs they should not be effected.

what kind of cert you replacing, admin certs ? - adding new Cert does not need ISE to reload.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217191-configuration-guide-to-certificate-renew.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎12-12-2023 08:07 AM

@benolyndav generally yes you can as long as it's trusted by other nodes etc. Preferably you'd have at least a dedicated certificate for admin role IMO.

View solution in original post

15 Replies 15

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎12-12-2023 04:01 AM

If the clients have valid certs they should not be effected.

what kind of cert you replacing, admin certs ? - adding new Cert does not need ISE to reload.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217191-configuration-guide-to-certificate-renew.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
benolyndav
Level 4
Level 4
In response to balaji.bandi

‎12-12-2023 04:24 AM

Hi

Sorry pressed the wrong button didnt want to accept solution, its self signed certs and are multi use admin being one of the uses,
also I do see there is a button to renew the cert is that the easiest way to renew>?

thanks

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to benolyndav

‎12-12-2023 04:42 AM 

, its self signed certs and are multi use admin being one of the uses,
also I do see there is a button to renew the cert is that the easiest way to renew>?

is the self signed certs you renewing or you replacing ?

what kind of deployment, what ISE version ?

have you checked the document posted above - in related to renewals of certs.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎12-12-2023 04:04 AM

can I know what service for Client you use in Secondary Node ?
MHM

Go to solution
MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎12-12-2023 04:23 AM

friend they will effect be careful. 
Admin Cert. in distribute mode is important 
check before apply any change 
MHM 

Go to solution
MHM Cisco World
VIP
VIP

‎12-12-2023 04:31 AM

When you set up a deployment, the node that you designate as the Primary Administration Node (PAN) becomes the Root CA. The PAN has a Root CA certificate and a Node CA certificate that is signed by the Root CA.

When you register a Secondary Administration Node to the PAN, a Node CA certificate is generated and is signed by the Root CA on the Primary Administration Node.

Any Policy Service Node (PSN) that you register with the PAN is provisioned an Endpoint CA and an OCSP certificate signed by the Node CA of the PAN. The Policy Service Nodes (PSNs) are subordinate CAs to the PAN. When you use the ISE CA, the Endpoint CA on the PSN issues the certificates to the endpoints that access your network.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_ise_manage_certificates.html

check this guide, see ISE root CA in PAN 
MHM

Go to solution
benolyndav
Level 4
Level 4
In response to MHM Cisco World

‎12-12-2023 04:54 AM

hi

its the self signed certs that have expired onthe primary admin and secondary admin nodes, theses certs are used for  DTLS, Admin, Portal, eap auth.
thanks

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to benolyndav

‎12-12-2023 05:53 AM

You can start with new Certs on Primary node and later secondary node, the document give you steps.

Client should not see any issue, as long as both system configured correctly to failover to other ISE when one ISE not reachable.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎12-12-2023 04:59 AM

@benolyndav applying a new admin certificate to a node will restart the services on that node only. As long as the secondary node provides the same services (RADIUS, TACACS etc) then the clients will continue to be authenticated. It is important the secondary node will need to trust the Primary node's new admin certificate.

If you also use the new certificate for EAP (and any other function) then those clients will need to trust the new certificate, when using a self-signed certificate this won't be easy. The recommendation is to use an internal CA for admin/EAP.

 

Go to solution
benolyndav
Level 4
Level 4
In response to Rob Ingram

‎12-12-2023 06:53 AM

Hi

so the psn nodes are using a cert from an external CA for EAP which is i gues why clients are ok,  the Primary admin node is as mentioned using a self signed cert which has expired for admin, eap, portal, DTLS, 
so if I generate a new self signed cert for the primary node or use the check box to renew  which is the best way,?

then this new cer has to also be in the trusted certs along with all other nodes in the deployment?

Thanks

 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to benolyndav

‎12-12-2023 06:58 AM 

so if I generate a new self signed cert for the primary node or use the check box to renew  which is the best way,?

if the Cert is new you need to add to Trusted store and amend as per requirement.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
benolyndav
Level 4
Level 4
In response to benolyndav

‎12-12-2023 07:37 AM

Hi Rob

Im thinking about possibly moving the admin use from the expired cert to a cert thats not expired, is this possible,?

Thanks

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎12-12-2023 07:40 AM

@benolyndav yes, just click the other certificate and select the usage as "Admin" and apply, the services will then restart. Ensure the other certificate is trusted by the other nodes.

Go to solution
benolyndav
Level 4
Level 4
In response to Rob Ingram

‎12-12-2023 08:03 AM

Hi

So just being curious could I select any Cert thats being used for say pxgrid or ise messagin etc and add the Admin use to the Cert.?

Thanks

0 Helpful
Customers Also Viewed These Support Documents