cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
530
Views
1
Helpful
4
Replies

<Q> ACS to ISE Migration w/ self-signed certification

maono
Cisco Employee
Cisco Employee

Hello experts,

My customer is migrating existing ACS to ISE and a local channel partner is currently conducting test.

One of the requirements from the customer is that they’d like to keep using their self-signed certificate being used on ACS even after migrating to ISE.

We understand it below in case of CA certificate, but what about Self-Signed certificate?  Would be see same/similar result with Self-Signed certificate as well? (seemingly what the partner is claiming right now is very similar to this)

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01011.html#task_690A54FCC70542FF833337BBA69C8B9D

 

*************************

 

When performing a backup and restore, the restore overwrites the list of trusted certificates on the target system with the list of certificates from the source system. It is critically important to note that backup and restore functions do not include private keys associated with the Internal Certificate Authority (CA) certificates.

 

*************************

 

Any comments on this would be much appreciated!

 

Thanks,

Masaki. 

1 Accepted Solution

Accepted Solutions

kthiruve
Cisco Employee
Cisco Employee

Hi Masaki,

Self signed certificates as the name says needs to be generated by the box. You cannot copy self-signed certificate, however if you use the same FQDN/DNS for the new box you should be good in your network.

If you are concerned about the key size of the self-signed certificate you can go to ISE certificates and re-generate a new one with different key size. You can also select the services you want the certificate to use in case you use self-signed and CA signed certificate.

CA signed is the recommended option since it provides ease of provisioning certificate on your endpoints since the CA certificate may be available already. Also, it offers better security in general.

That said, ISE will generate self-signed certificate by default during installation and you can use it for different services. You don’t have to copy one from ACS. If you do that it is not called self-signed certificate.

To your second point. ACS to ISE migration is not a backup and restore. You need to use the migration tool to migrate configuration data from ACS to ISE.

Please see http://cs.co/acstoise for more information.

Thanks

Krishnan

View solution in original post

4 Replies 4

hslai
Cisco Employee
Cisco Employee

That note is specified to ISE internal CA.

In case of server certificates, they are not restored if the hostnames differ between the source of the CFG backup taken and the target of the restore. I would suggest to export both the private keys and the certificates of all server certificates for safe keeping.

Please note that a server certificate can not be applied to an ISE node for admin usage unless the ISE node FQDN can be matched in either Subject in the common names (CN) or a DNS entry in the subject alternative names (SAN).

kthiruve
Cisco Employee
Cisco Employee

Hi Masaki,

Self signed certificates as the name says needs to be generated by the box. You cannot copy self-signed certificate, however if you use the same FQDN/DNS for the new box you should be good in your network.

If you are concerned about the key size of the self-signed certificate you can go to ISE certificates and re-generate a new one with different key size. You can also select the services you want the certificate to use in case you use self-signed and CA signed certificate.

CA signed is the recommended option since it provides ease of provisioning certificate on your endpoints since the CA certificate may be available already. Also, it offers better security in general.

That said, ISE will generate self-signed certificate by default during installation and you can use it for different services. You don’t have to copy one from ACS. If you do that it is not called self-signed certificate.

To your second point. ACS to ISE migration is not a backup and restore. You need to use the migration tool to migrate configuration data from ACS to ISE.

Please see http://cs.co/acstoise for more information.

Thanks

Krishnan

Hello Krishnan,

Thank you very much for picking this up as well as your response.

What makes it a bit difficult here is that the customer actually insists they’d like to keep using self-signed certificates being used on existing ACS.

Is this doable in the first place?

Also, regarding what you said, “You cannot copy self-signed certificate, however if you use the same FQDN/DNS for the new box you should be good in your network.” Could you please elaborate more? I’m not sure if I get what you mean by saying “you should be good.”

Regards,

Masaki.

Self signed certs cannot carry from one box to another

What is your concern here? Are they worried that the users will need to now manually trust the new server certificate?

Customers should not be using self signed certs in a production environment , this is one of the problems with them

Customer should deploy well known certificates so that users will not run into trust issues and manually install each nodes certificates

Also they should deploy wildcard in the SAN if they have multiple psns for user devices

If customer deployed well known certs on acs and then wanted to reinstall on ISE (with same fqdn) then this would have worked because you have the private key saved off

With self signed this is not the case

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: