cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

What happens with an ISE Admin certificate has expired

604
Views
15
Helpful
0
Comments
VIP Engager

Have you ever wondered what happens when an ISE admin certificate reaches its expiry date?  Probably not, because we don't ever want to consider this situation because it just sounds like bad news. 

We would normally heed the ISE certificate expiry warning in the Alarm viewer, and renew way in advance ... right? ;-)

 

But, what DOES happen when the ISE admin certificate has expired?  Let's say the system has been left running for a long time and nobody looks at the alarms?  It could very well happen to anyone.

 

Here is what you would see if you browse to the PAN using the FQDN 

FQDN expiry notice.png

 

This is displayed in the Firefox browser - and any other security conscious browser should act the same.  It refuses access to the ISE PAN.  Oh dang!  How do I get back in?

The Admin certificate has two SAN DNS entries, and an IP address (but I made an unintentional mistake with the IP)

DNS Name: ise01.net.local
DNS Name: ise01

IP: 92.168.21.100

 

It turns out that the browser will turn a blind eye to this dilemma if I use the IP address of the PAN node instead.  I will have to re-test to see what would have happened if I had entered the SAN IP address correctly.

 

IP address works.png

 

I was able to log back in again!  

 

ise alarm.PNG

 

I will have to create another cert with a valid SAN IP address and see whether that works too.  This is only a lab node and it's okay if I lose access forever.