Solved: Re: Renewall of Admin Certificate

Sergio C · ‎04-19-2024

I have to renew the admin certificate in a pair of ISE nodes (Prim / Sec) on Version 3.2.0.542 Patch 4.

Currently both devices have the same admin cert that expires in little over 3 weeks.

All the names and IPs in this thread are placeholders.

I generated the CSR with de CN of the main node (CN=main_node.domain.com) and as SAN the FQDN of the Primary node as well as the Secondary one, and their IPs

DNS:prim_node.domain.com,DNS:11.11.11.11,IP:11.11.11.11,DNS:sec_node.domain.com,DNS:22.22.22.22,IP:22.22.22.22,DNS:*.domain.com
That is following the certificate that is currently deployed.

Now, to get a maintenance window to bind and activate the certificate. If I understand correctly the documentation, the GUI will reload but the ISE will continue to perform 802.1x auth and tacacs+ authentication (is that correct?) I'll schedule it out of hours anyway, but to be sure about the impact of renewing those certificates.

And in case that something goes wrong and the certificate didn't work properly, what are the potential implications and impact?
Would I be able to log into the ISE GUI to troubleshoot? Maybe use a local selfsigned certificate? or revert to the current one.

I have 3 weeks until the current admin certificate expires, but I want to have time if anything wrong happens.

Sorry but first time doing this, and wanting to have as much as "worst case scenario" prepared as posible.

Aref Alsouqi · ‎04-22-2024

The downtime that is referenced in this document would be related to the fact that you would lose the UI access while ISE services are being restarted which is expected. If the cert has the primary PAN FQDN in the CN and has the secondary PAN FQDN in the SAN you would be good to go. However, the recommendation would be to add both nodes FQDN as DNS values in the SAN alongside their IP addresses.

It depends on which nodes you selected when you created the CSR, when you bind it, it would be associated to those nodes you selected. If you selected both nodes then when you bind it it will be propagated to both nodes, if you had selected only one node then it will only be associated to that node. However, this is not a problem because you can manually export it from the node that got it and import it into the other one.

View solution in original post

Aref Alsouqi · ‎04-19-2024

You are right, the authentication and authorization sessions won't be affected during the renewal of the admin certificate unless EAP Authentication usage is also added to that certificate, and yes, ISE application services will be restarted after you apply the new certificate, during that time, you won't have access to ISE UI. If something bad happens you won't be able to log into ISE via UI, and I believe in that case you would need to contact TAC or to restore the config from a backup. However, I'd done this a plethora of time and never came across any issue.

Sergio C · ‎04-19-2024

Thanks Aref for your response.
The backup I imagine should be recovered through the CLI. And even though the certificates are not exported in the backups, as they should still be loaded on the device they'll be used.

Is there, that you know, a procedure to generate a self signed certificate or to use one of the existing Default Self Signed ones as an admin, through CLI? The self signed certificates that came with both once installed arte still valid for 1 more year, and in an emergency I believe they could be used (they are being currently used for Guest Portal and RADIUS DTLS)

MHM Cisco World · ‎04-19-2024

Any change in cert ise for admin role need ISE to restart.

When you renew cert. You will get pop messgae about restart ise.

MHM

Aref Alsouqi · ‎04-19-2024

As long as you have "EAP Authentication" usage associated with a separate certificate your authentication and authorization sessions will not be affected. If you are using the guest portal with the same certificate that you will be renewing, then that portal will be affected during the renewal process.

The configurational backup should include the system and trusted certificates, however, the backup wouldn't include any ISE internal CA certificates. When you restore it through CLI you should be good to go. Another thing you can do if you want would be to export the interested certificate via UI before you go through the renewal process.

I'm sure there is a way to re-bind a certificate to ISE admin portal through CLI or to generate a new self-signed certificate, however, I believe that would require working with TAC as they can get into ISE root shell access which opens up ISE appliance as a.

Sergio C · ‎04-21-2024

Thank you both for your responses.

The certs for "Eap Auth" are separate ones. The guest portal is not currently in use.

I'll schedule a maintenance window just in case, but your answers have cleared the worries I had.

Peter Koltl · ‎04-21-2024

> The certs for "Eap Auth" are separate ones

It does not matter. Not just the GUI reloads but the node restarts its ISE services when you change the admin certificate. But the NADs will fail over to the other RADIUS server so 802.1X authentication keeps working. Then you change the certificate on the secondary node , it restarts, the NADs will switch to the working (primary) RADIUS server.

Sergio C · ‎04-21-2024

Thanks for your reply.

The thing is that both devices have the same cert for administration, so when I bind the CSR for admin, the Primary and Secondary nodes should be affected, right?

If I understood correctly(Cisco Documentation), it says that there is downtime, but it's not clear.

Also, the certificate was generated with the CN of the main FQDN and SAN of the secondary one. Will the new certificate be pushed to the secondary node?

Aref Alsouqi · ‎04-22-2024

The downtime that is referenced in this document would be related to the fact that you would lose the UI access while ISE services are being restarted which is expected. If the cert has the primary PAN FQDN in the CN and has the secondary PAN FQDN in the SAN you would be good to go. However, the recommendation would be to add both nodes FQDN as DNS values in the SAN alongside their IP addresses.

It depends on which nodes you selected when you created the CSR, when you bind it, it would be associated to those nodes you selected. If you selected both nodes then when you bind it it will be propagated to both nodes, if you had selected only one node then it will only be associated to that node. However, this is not a problem because you can manually export it from the node that got it and import it into the other one.

Aref Alsouqi · ‎04-22-2024

I could be mistaking, but I don't believe ISE node will be restarted when you renew or replace ISE admin certificate, only ISE services will be restarted and that shouldn't affect EAP sessions.

Peter Koltl · ‎04-22-2024

"Only" ISE services will be restarted and that shouldn't affect existing EAP sessions except for reauthentications and new authentications.

Aref Alsouqi · ‎04-23-2024

Thanks @Peter Koltl, that is my understanding as well. However, I came across the following document yesterday related to ISE 3.3 (I didn't have the chance to test it myself) that suggests that all nodes would be restarted : - /, not sure if the behaviour changed with ISE 3.3?

"In ISE, when the Admin certificate of the Primary Admin Node (PAN) is changed, all the nodes in the deployment are reloaded, first the PAN and then the rest of nodes, and this causes a disruption in all the services."

Configure Controlled Application Restart in ISE 3.3 - Cisco

Regarding re-authentication and the new authentication sessions those shouldn't be affected AFAIK as those ones will be managed by the PSN, not the PAN.

Sergio C · ‎05-08-2024

The change when perfectly. As it should, the ISE service was rebooted, not the server as a whole.
The services were rebooted one at a time, so at all times there was at least one active node.