Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1435
Views
10
Helpful
3
Replies

Questions about ISE CA Certs during 2.3 to 2.7 upg (backup&restore)

Feds
Level 1
Level 1

‎10-31-2021 08:46 AM

Hi everyone,

I need to migrate a 3-node 2.3p7 deployment to 2.7.

BYOD certs use internal ISE CA. 

PSN-only node has 4 of these certs (2x OSCP and 2x Sub CA), 2 of which are expired (1+1). However PANs have many each, 13x Pri PAN (4x expired) and 10x Sec PAN (3x expired).

Pri PAN was rebuilt last year so 4x of those have that issue date.

By looking at the oldest valid Issued Cert (expiring today) I see that the CA Chain is the same as the most recent one, and Pri PAN certs used are those from last year.

Q1- Is it safe to remove expired certs?

Q2- Why are there so many CA certificates? Is it safe deleting less recent ones for the same type?

Q3- I've read that after upgrading I'll have to re-generate the ISE CA Chain. TAC also confirmed this however I don't see why CA Certs couldn't be simply re-imported on new 2.7p5 nodes using CLI and be valid.

Having to re-generate the chain will impact BYOD certs.

Many thanks

Fed

0 Helpful
3 Replies 3

Mohammed al Baqari
Level 11
Level 11

‎10-31-2021 07:38 PM

Hi Fed,

Yes it's safe to remove expired CA or regenerate them which will replace
the expired ones. With regards to many CA certs, these are used for
different internal functions by ISE such as DTLS, internal messages, ISE
nodes replication, etc. You can not delete these CAs. You can regenerate
only.

Finally, on the regeneration unfortunately this is a known issue after
upgrade. You will start getting queue link errors and nodes status will not
be displayed. The fix is to generate the root CAs which as you said will
impact the BYOD and Guest deployments if you are issuing per endpoint cert.

**** please remember to rate useful posts

Feds
Level 1
Level 1
In response to Mohammed al Baqari

‎11-02-2021 06:10 PM

Hi Mohammed,

Thank you for your reply.

I'm aware there are different types of CA certs (Endpoint Sub CA, OCSP Resp, Serv Node CA, Serv Root CA, Endpoint RA, maybe others) and that depending on its role a node can have some or all of these, but what I was saying is that Pri and Sec PAN in my 2.3p7 deployment have multiple certs for the same role, and I found this confusing. Can you explain this? Pri PAN which was re-installed a couple of yeasr ago has 3 more certs than Sec PAN which has never been re-installed.

However I confirmed that CA chain for all the currently valid BYOD certs (checked oldest and newest oness) issued by ISE is the same and using most recent Endpoint Sub CA (BYOD PSN node), Node CA and Root CA (Pri PAN) certificates.

I also got the Queue Link error in the lab. Hopefully Cisco fixes this soon.

Cheers,

Fed

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎11-03-2021 05:45 PM

On Q3, CSCvv87286

Customers Also Viewed These Support Documents