01-06-2019 08:20 PM - edited 01-06-2019 08:20 PM
Hello
I don't have the time to test this myself, but has anyone got real world advice when replacing the Admin cert of a multi-node deployment?
The customer is running ISE 2.4 in a 6 node deployment on SNS appliances.
Currently the Admin cert is a self-signed wildcard cert. This cert was installed on all secondary nodes prior to the nodes being registered to the PAN.
Customer now wishes to apply a different cert (e.g. public CA cert) to all the nodes used for Admin and possibly also EAP.
I have some concerns with this.
I am pretty sure that changing the System cert for Admin will cause the application services to restart. The outage is not an issue. The main concern I have is that the ISE cube (cluster) will someone get messed up because of the changing of domains and the importing of certs.
any advice appreciated
Solved! Go to Solution.
01-06-2019 09:08 PM
Hi
For the EAP, you could have the possibility to create a new interface and an alias then your public cert will work.
However for the admin, it'll only be on the default interface and you have no choice to change the domain name.
Then you can import them node by node, i start myself from PSN and finish with PAN. Customers like simplicity and most of them generate 1 cert with multiple SAN and then import the same one on all node. Never had issues here.
Issues i had, were mostly after changing domain name. There were weird issues like AD sync/join not working as expected and needed to unlink and link it back sometimes. Also issues with internal CA, the biggest weird issues was that i had to disable, generate new certs for internal ca and re-enable it back (impact on all my byod users).
Sometimes i also had to deregister the node from the cluster and register it back after domain-name changed.
This doesn't mean it never work (most of the time it works good), after an automatic application restart, everything is back to normal.
Anyway when you will do the command ip domain-name, a message will appear to tell you to de register your node from AD before proceeding. I'm not doing it everytime i do these changes because AD people aren't available/communicating with network guys :-)
When i do the domain name changes, i always start by PSN.
01-07-2019 08:02 PM
01-06-2019 09:08 PM
Hi
For the EAP, you could have the possibility to create a new interface and an alias then your public cert will work.
However for the admin, it'll only be on the default interface and you have no choice to change the domain name.
Then you can import them node by node, i start myself from PSN and finish with PAN. Customers like simplicity and most of them generate 1 cert with multiple SAN and then import the same one on all node. Never had issues here.
Issues i had, were mostly after changing domain name. There were weird issues like AD sync/join not working as expected and needed to unlink and link it back sometimes. Also issues with internal CA, the biggest weird issues was that i had to disable, generate new certs for internal ca and re-enable it back (impact on all my byod users).
Sometimes i also had to deregister the node from the cluster and register it back after domain-name changed.
This doesn't mean it never work (most of the time it works good), after an automatic application restart, everything is back to normal.
Anyway when you will do the command ip domain-name, a message will appear to tell you to de register your node from AD before proceeding. I'm not doing it everytime i do these changes because AD people aren't available/communicating with network guys :-)
When i do the domain name changes, i always start by PSN.
01-06-2019 09:17 PM
thanks @Francesco Molino - very useful advice for sure.
I will see whether I can convince them to keep the Admin system cert as is (there is no benefit to assigning that to a public CA cert!!). The EAP cert can then be changed to use a public CA cert without rocking the boat.
thanks
01-07-2019 08:02 PM
01-07-2019 10:01 PM
These are SNS servers. I will fight to not have to change the Admin cert ;-)
01-08-2019 10:15 AM
01-08-2019 10:17 AM
02-10-2022 10:39 AM
the trick with changing the domain name of the cluster node is to deregister it from the domain - then DELETE the machine account in the domain - wait for replication to occur in AD (15 mins max) - THEN change the node domain-name and reregister the node to the domain. It's that machine account in the domain that gets wonky - so just smoke the old machine account and create a new one with the proper domain.
01-08-2019 12:49 PM
Assuming that you have sorted out domain issues means got the cert from publicCA. You can assig new cert in any order as long as Root, Intermediate and Issuing CA cert has been imported in PAN trusted store. It will propogate to all other ISE nodes trusted store. Now even if you take any node and assign this cert for admin and EAP .This node will restart it service but will join the cluster.
02-15-2019 06:56 AM
Are there any issues with using the system certificate for both Admin and EAP authentication? We do not practice this policy but wondered if it is done by others.
02-15-2019 07:00 AM
It's not best practice, but it's possible and supported. Notice when you add a system cert that you can choose which roles it has per node.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide