Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
219
Views
1
Helpful
3
Replies

System certificate problems

Malsori
Level 1
Level 1

‎09-05-2025 02:24 AM

Hello,

I am experiencing issues renewing HTTPS system erificate used for admin and protal access. The old cert has expired, and I cannto delete it until it is assigned to antoher cert. I successfully installed the new cert on the first node, but when I tried to import it on the other nodes, I receive an error stating that the CN or object name already exists.

I tried creating a new "empty" cert wihout assign admin or portal to, then delete the expired one, and finally import the real cert, However, the system reports that the new cert was created but it does not appear in the list on any node, even after restart.

Now the nodes are out of sync, and I am unable to import or creat cert correctly.
I  am new to this process and may be doing something wrong. Could you please advise on a better approach or what I might be missing? 

Thanks

0 Helpful
3 Replies 3

Jonatan Jonasson
Level 4
Level 4

‎09-05-2025 03:37 AM

If you've reached the point where the old admin cert is already expired, and nodes have become out of sync, the most simple and straightforward solution is to remove the other nodes from the deployment, change them into standalone, import the certificate, go back to the primary node and add them to the deployment again.

Not ideal, but this is the process.

When the admin certificates expire and the nodes go out of sync, you can no longer install a certificate on secondary nodes through the primary, and the design doesn't allow you to directly import certificate to secondary nodes.

There's a guide that explains this scenario and steps as well here:
https://www.cisco.com/c/en/us/support/docs/security/ise-passive-identity-connector/222732-troubleshoot-expired-ise-admin-certifica.html

---
Please mark helpful answers & solutions
---

Malsori
Level 1
Level 1
In response to Jonatan Jonasson

‎09-05-2025 04:15 AM

I’m going to try this and see if it resolves the issue. Initially, I was considering whether it might be possible to detach one node at a time, fix and register the certificate on that node, instead of detaching all nodes simultaneously.
Thank you

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎09-05-2025 03:39 AM

there is a order you need to follow for the certs to install.

If the Cert expired, you may need to remove active certs before you installing new certs.

When you generating CSR, CSR Generation – Same OU name not accepts - so you need to use different name here.,

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215621-tls-ssl-certificates-in-ise.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents