ISE's Internal Root CA. How to generate new one in distributed deployment?

pietrulewiczmarek · ‎04-26-2015

Hello,

I have two ISE nodes in distributed deployment. I would like to generate new Internal Root CA certificate. I was able to do that from primary node, but only FOR primary node. How can I achieve this for the other node?

Best Regards,

Marek

nspasov · ‎04-27-2015

Hi Marek-

All of the certificate management is performed from the Admin Node which becomes the Root CA for the ISE PKI. You generate Subordinate CA certificates to your Policy Nodes from the Primary Admin node. Check this link for more info:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01000.html#task_FF93B4C51BAC4CA196A48B607DAA595D

Also, since the primary node is the Root CA, you should export the certificate and the private key and import it to your secondary Admin node. This will enable the secondary node to be promoted to a Root CA in case of a failure of the primary admin node:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01000.html#concept_435C4E3FF56949B1B4D5A0C73671AB22

I hope this helps!

Thank you for rating helpful posts!

Thank you for rating helpful posts!

nspasov · ‎04-27-2015