Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
624
Views
0
Helpful
3
Replies

ISE SSL Certificate renewal without service disruption

chacy2000
Level 1
Level 1

‎10-05-2018 05:43 AM

 I am in the process of renewing existing ISE SSL certificate. The Certificate is being used by Admin, EAP authentication and Radius services. TAC is suggesting we perform this during a change/downtime window, due to admin services dependency on this Certificate.

I need a second opinion- We are running on a 6 node deployment  (two admin nodes and 4 PSNs). We were hoping to perform this change without service disruption- one at a time. Is there a way to renew the certificate without down time? (note* if cert is being used by Admin)

 

ISE Version: 2.2.0.470

Patch: 5,9

 

 

0 Helpful
3 Replies 3

umahar
Cisco Employee
Cisco Employee

‎10-05-2018 09:51 AM

The reason you have 4 PSNs is to avoid overall radius service disruption.

Make changes on PSNs one at a time so that at all times radius service is taken care by rest of the PSNs.

0 Helpful

chacy2000
Level 1
Level 1
In response to umahar

‎10-05-2018 11:30 AM

Thank you Umahar. 

That is what I what I thought, but wasn't sure different certificates present on nodes at a point will break general communication between all node (from Admin standpoint).

 

BTW- have you tried this in a lab environment before?

 

 

 

0 Helpful

Arne Bier
VIP
VIP
In response to chacy2000

‎10-07-2018 03:52 AM

I have yet to face the same scenario as you, and it's a common scenario that many will face too.  So your question is a good one and it deserves a decent answer.  Ha ha .. once you find that answer please share with all of us.

 

Here is my take on the situation.  If you created your Admin role certs using the same CA chain (e.g. your organisation's PKI) then you should be able to replace each node's Admin cert one by one, and be 100% confident that they won't lose any SSL comms to the Primary PAN node - because the PAN and all the other nodes have the correct Trusted CA cert(s) installed.  So when you, e.g. replace an expiring Admin cert on a PSN with a new cert (signed by same CA) then of course the PSN application will restart, but it will not lose comms with the PAN.

 

I shudder to think what would happen if someone built an ISE deployment using only self-signed certs, and then 1 year later decides to "renew certs" when the ISE self-signed certs expire.  Of course one should never use these if at all possible ,but I am pretty sure there are deployments out there using self-signed certs.

0 Helpful
Customers Also Viewed These Support Documents