cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4231
Views
20
Helpful
4
Replies

ISE - Expired Certificate on de-auth node

HomeroVautier83
Level 1
Level 1

Hi Experts,

 

I'm very new to ISE, can you guys help me with this issue?

 

I have a 4 VM ISE version 2.4.0.357, 2 admin and monitoring and 2 policy services

We had an issue with one policy node, status was red... I tried to deregister and register it back again, but the self-signed cert is expired, so it won't let me register it back again.

 

Self-signed certs are expired from all my nodes.

 

Is there a way to generate a self-signed cert trought the CLI, so I could do that and add the node back to deployment?

 

Thanks in advance

3 Accepted Solutions

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

No, there is no way to manage the identity certificates via the CLI. You will need to connect to the GUI of each individual node and generate new self-signed certificates.

Since you are using self-signed certificates, you will also need to export the new certs and import them to each of the other node Trusted Certificates stores that each node trusts each other node's Admin cert before trying to rejoin the nodes to the cluster.

Best practice is to use CA-signed certificates with a common root CA so that each node inherently trusts the others with the same trust chain.

For more info, see:

TLS/SSL Certificates in ISE 

How To Implement Digital Certificates in ISE 

View solution in original post

When the Secondary nodes cannot sync with the Primary, they must be reverted to Standalone mode to generate new certificates. At this point, you have little option but to rebuild the cluster. From the CLI on the secondary nodes, you will have to issue the 'application reset-config ise' command. Once the database is reset and the application server has started again, you will be able to generate self-signed certs (or better yet, CSRs and CA-signed certs) and join the nodes back to the Primary PAN to rebuild the cluster. The policy configuration is stored in the Primary PAN, so the rebuilt Secondary nodes will sync their configs upon joining the cluster again.

You can either do multiple nodes at a time during an outage window, or rebuild one PSN at a time so that you still have one active PSN to continue handling endpoint sessions (depending on how your H/A architecture is built).

After getting the cluster back to a healthy state again, you should also strongly consider upgrading to a newer software version as 2.4 reaches End of Software Maintenance in a few months.

View solution in original post

HomeroVautier83
Level 1
Level 1

Hello, Greg!

 

Sorry for taking too long to respond, but I've only had time to perform the "application reset-config ise" today and I was able to successfully restore the node and add it back to the cluster. Only thing to do was to remove the expired cert from the trusted certificates in primary PAN.

 

Thanks

View solution in original post

4 Replies 4

Greg Gibbs
Cisco Employee
Cisco Employee

No, there is no way to manage the identity certificates via the CLI. You will need to connect to the GUI of each individual node and generate new self-signed certificates.

Since you are using self-signed certificates, you will also need to export the new certs and import them to each of the other node Trusted Certificates stores that each node trusts each other node's Admin cert before trying to rejoin the nodes to the cluster.

Best practice is to use CA-signed certificates with a common root CA so that each node inherently trusts the others with the same trust chain.

For more info, see:

TLS/SSL Certificates in ISE 

How To Implement Digital Certificates in ISE 

Hello Greg,

 

Thanks for you reply.

 

Couldn't find a way to generate the new self-signed cert from the other nodes. The option only appears in the primary administration node, and for the nodes already in the deployment.

 

That means I won't be able to add the node back?

 

 

When the Secondary nodes cannot sync with the Primary, they must be reverted to Standalone mode to generate new certificates. At this point, you have little option but to rebuild the cluster. From the CLI on the secondary nodes, you will have to issue the 'application reset-config ise' command. Once the database is reset and the application server has started again, you will be able to generate self-signed certs (or better yet, CSRs and CA-signed certs) and join the nodes back to the Primary PAN to rebuild the cluster. The policy configuration is stored in the Primary PAN, so the rebuilt Secondary nodes will sync their configs upon joining the cluster again.

You can either do multiple nodes at a time during an outage window, or rebuild one PSN at a time so that you still have one active PSN to continue handling endpoint sessions (depending on how your H/A architecture is built).

After getting the cluster back to a healthy state again, you should also strongly consider upgrading to a newer software version as 2.4 reaches End of Software Maintenance in a few months.

HomeroVautier83
Level 1
Level 1

Hello, Greg!

 

Sorry for taking too long to respond, but I've only had time to perform the "application reset-config ise" today and I was able to successfully restore the node and add it back to the cluster. Only thing to do was to remove the expired cert from the trusted certificates in primary PAN.

 

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: