Have you ever wondered what happens when an ISE admin certificate reaches its expiry date? Probably not, because we don't ever want to consider this situation because it just sounds like bad news.
We would normally heed the ISE certificate expiry warning in the Alarm viewer, and renew way in advance ... right? ;-)
But, what DOES happen when the ISE admin certificate has expired? Let's say the system has been left running for a long time and nobody looks at the alarms? It could very well happen to anyone.
Here is what you would see if you browse to the PAN using the FQDN
This is displayed in the Firefox browser - and any other security conscious browser should act the same. It refuses access to the ISE PAN. Oh dang! How do I get back in?
The Admin certificate has two SAN DNS entries, and an IP address (but I made an unintentional mistake with the IP)
DNS Name: ise01.net.local
DNS Name: ise01
IP: 92.168.21.100
It turns out that the browser will turn a blind eye to this dilemma if I use the IP address of the PAN node instead. I will have to re-test to see what would have happened if I had entered the SAN IP address correctly.
I was able to log back in again!
I will have to create another cert with a valid SAN IP address and see whether that works too. This is only a lab node and it's okay if I lose access forever.