ISE nodes with expired admin certificate

rfountain72 · ‎07-05-2022

I have an ISE environment that we use for Tacacs, we are running version 2.6. The issue that I have is that for whatever reason, someone renewed the production TLS certificate on the primary admin node but didn't update the other nodes. So now when I go into the certificate store area and try to select any of the other two nodes [with expired 3rd party certificate] I get the error you see attached.

Can someone show me the article that would show someone how to renew certificates on a node that is giving this error? Thanks!

ahollifield · ‎07-05-2022

You should be able to HTTPS directly to the other nodes. On the admin GUI, you can perform certificate operations on the individual nodes.

Also: https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2503911.html

rfountain72 · ‎07-05-2022

Thank you, I'm a bit closer as I'm logged into that node directly but the only choice I have is to "export" certificates. I don't see where I can import the certificate that I exported from the primary PAN. I logged onto the other node as well and same thing, just "export". Does this need to be done via CLI? I'm logging in with the local admin account to make sure I have all rights.

ahollifield · ‎07-05-2022

Yeah I misunderstood the original question, for the secondary nodes I’ve always just rebuilt from scratch when I run into this at customer sites. See this thread: https://community.cisco.com/t5/network-access-control/ise-expired-certificate-on-de-auth-node/td-p/4442884

Arne Bier · ‎07-06-2022

Or if it's possible to de-register the nodes ? Once they are in Standalone you can manage them directly. But if the de-registration doesn't work then a rebuild is needed