Solved: System Certificates Backup/Restore

matthen · ‎06-14-2018

Are system certificates included in a configuration backup of ISE? If so, what happens during a restore? Are the existing system certificates on the target system deleted and replaced with the system certificates from the backup?

Arne Bier · ‎06-14-2018

Yes they are.

You can only restore a config backup on a standalone node. Once restored, you'll have the appropriate system cert that matches the hostname. Let's say your old pan was ise01 and you had a system cert for that. If int he deployment you also had ise02, ise03 with their own system certs, and if you restored the backup onto one of them, then I think ISE is clever enough to apply the appropriate system cert to the standalone node.

However, when you register additional nodes back into the deployment then those standalone nodes will know nothing about the PAN. You'll have to prep each standalone with your PKI Trusted Certs and then the node's system certs prior to registering it with the PAN. You could cheat and use self-signed certs but that's not cool.

View solution in original post

Arne Bier · ‎06-14-2018

Yes they are.

You can only restore a config backup on a standalone node. Once restored, you'll have the appropriate system cert that matches the hostname. Let's say your old pan was ise01 and you had a system cert for that. If int he deployment you also had ise02, ise03 with their own system certs, and if you restored the backup onto one of them, then I think ISE is clever enough to apply the appropriate system cert to the standalone node.

However, when you register additional nodes back into the deployment then those standalone nodes will know nothing about the PAN. You'll have to prep each standalone with your PKI Trusted Certs and then the node's system certs prior to registering it with the PAN. You could cheat and use self-signed certs but that's not cool.