05-14-2014 05:01 AM - edited 03-10-2019 09:43 PM
Hi Experts,
I have a question regarding ISE disaster recovery with same hostname and IP. For step 2, is it a must to generate a self signed cert? is it possible to use back to original N1 CA- signed certificate?
esolution Steps
1. Obtain the N1 backup and restore it on N1A. See "Restoring Data from a Backup" section for more information. The restore script will identify the hostname change and domain name change, and will update the hostname and domain name in the deployment configuration based on the current hostname.
2. You must generate a new self-signed certificate. See "Generating a Self-Signed Certificate" section for more information.
3. You must log in to the Cisco ISE user interface on N1A, choose Administration > System > Deployment, and do the following:
a. Delete the old N2 node. See "Removing a Node from Deployment" section for more information.
b. Register the new N2A node as a secondary node. See "Registering and Configuring a Secondary Node" section for more information. Data from the N1A node will be replicated to the N2A node.
http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/user_guide/ise_user_guide/ise_backup.html
09-10-2014 10:46 AM
Hi,
The reason for asking to create a self signed cert is , the subject name of the certificate should match ISE node FQDN. If you import the N1 node CA- signed certificate, that certificate will have the hostname of N1 node as its subject name and it will not work.
So you have to create a self signed certificate or get a new CA signed certificate with subject name as N1A node FQDN.
Hope this clarifies the reason of self signed certificate.
09-11-2014 03:18 PM
As long as:
- The newly built node has the same FQDN
- You have the original signed certificate and private key
- Root's and subordinate's (If any) CA certificates
Then you should be able to just re-import the cert.
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide