cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2193
Views
6
Helpful
2
Replies

Renewal of certificates distributed deployment

albertofdez
Level 1
Level 1

Hi guys,

The customer currently has 2 Cisco ISE 3.0 in HA, one is the primary administration/monitoring + PSN and the other is the secondary administration/monitoring + PSN.

Everything works perfectly, but we need to renew the Admin, EAP Authentication and Portal certificates.

I need to verify if this process I want to perform would be the correct one.
- In the primary ISE I generate a CSR of type Multi-Use and check the box for both nodes.
- I export the .pem file and in my Microsoft AD CA I request a certificate with the Web Server template.
- In the primary ISE I go back to the CSR screen, select it and click on Bind Certificate, fill in the data and tell it that I am going to use it for Admin, EAP Authentication and Portal.

Would this be enough?
Would I have to do something in the secondary ISE?

Thanks.

2 Accepted Solutions

Accepted Solutions

@albertofdez yes that's enough, bear in mind though that when you bind a new "Admin" certificate the services will restart, so plan to make the change out of hours. You can do everything from the Primary ISE node, it will apply the certificate to the Secondary ISE node.

View solution in original post

Mike.Cifelli
VIP Alumni
VIP Alumni

Yes that would suffice.  For the third part:

- In the primary ISE I go back to the CSR screen, select it and click on Bind Certificate, fill in the data and tell it that I am going to use it for Admin, EAP Authentication and Portal.

--Be aware that for Admin protocol changes, a restart of the ISE services is required.  Lastly, note that EAP protocol changes do not trigger a restart of the ISE services.

View solution in original post

2 Replies 2

@albertofdez yes that's enough, bear in mind though that when you bind a new "Admin" certificate the services will restart, so plan to make the change out of hours. You can do everything from the Primary ISE node, it will apply the certificate to the Secondary ISE node.

Mike.Cifelli
VIP Alumni
VIP Alumni

Yes that would suffice.  For the third part:

- In the primary ISE I go back to the CSR screen, select it and click on Bind Certificate, fill in the data and tell it that I am going to use it for Admin, EAP Authentication and Portal.

--Be aware that for Admin protocol changes, a restart of the ISE services is required.  Lastly, note that EAP protocol changes do not trigger a restart of the ISE services.