Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
702
Views
10
Helpful
3
Replies

Renew certificate of a deleted node

Go to solution
kostasthedelegate
Level 4
Level 4

‎11-22-2019 04:10 AM

Hello, 

 

I have an ISE with two PAN and two PSN. 

The certificate for admin usage is expired. I have deleted the secondary node and now when I try to register it back, I get the expired certificate error. 

I will renew the certificate. 

My concern is how will I point it to the node I deleted. 

In system certificates, there is no reference anymore, but in trusted certificate, I see the certificate. 

 

Regards, 

Konstantinos

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎11-22-2019 06:31 AM

Hi Konstantios

 

An expired certificate won't be of any use to you. The answer is to create a CSR on each ISE node and have it signed by a CA. It can be an internal CA or an external (public) CA. Either will work. Whichever CA you chose, make sure you install the CA cert chain in BOTH Admin Nodes.

When you register the Secondary PAN from the Primary PAN Admin GUI you won't have any issues, because both admin nodes have certs from the same CA.

 

If you want a quick and dirty hack then go to the standalone Admin node, generate a self-signed certificate for Admin role, and then export that cert to a file. Import that file into the Primary Admin node in the Trusted Certs. That should allow you to register the secondary PAN.  But it's not pretty and it's not the best way to do things - it's a last resort.

View solution in original post

3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎11-22-2019 06:31 AM

Hi Konstantios

 

An expired certificate won't be of any use to you. The answer is to create a CSR on each ISE node and have it signed by a CA. It can be an internal CA or an external (public) CA. Either will work. Whichever CA you chose, make sure you install the CA cert chain in BOTH Admin Nodes.

When you register the Secondary PAN from the Primary PAN Admin GUI you won't have any issues, because both admin nodes have certs from the same CA.

 

If you want a quick and dirty hack then go to the standalone Admin node, generate a self-signed certificate for Admin role, and then export that cert to a file. Import that file into the Primary Admin node in the Trusted Certs. That should allow you to register the secondary PAN.  But it's not pretty and it's not the best way to do things - it's a last resort.

Go to solution
Anurag Sharma
Cisco Employee
Cisco Employee

‎11-22-2019 07:59 AM

Hi @kostasthedelegate ,

 

If the expired admin certificate is a self-signed certificate, then you can renew it easily by clicking on Edit for the certificate and choosing the renewal period. 

A self-signed certificate is the one where the 'Issued to' is the same as 'Issued by'.

If it's not a self-signed certificate, meaning, it's a CA signed certificate, then you need the CA for the certificate in the other node.

Basically, Node A's certificate's CA should be in the Trusted Certificates store of the Node B.

Node B's certificate's CA should be in the Trusted Certificates store of the Node A.

 

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

Go to solution
ade5
Level 1
Level 1

‎11-22-2019 08:14 AM

it doesn't register because it doesn't trust the secondary node anymore . To resolve either do the following:

 

- Generate self signed cert for "admin" , then export 

- import that to the secondary admin node to its "trusted certificates" under Certificate management.

 

or Generate CSR and have your internal CA signed it and import it both in the trusted certificates for both nodes. 

 

Hope that helps. 

0 Helpful
Customers Also Viewed These Support Documents