ISE Self Signed Certificate Renew/Change process

biakorofidorel · ‎11-06-2016

Hello Guys

I have a Two Nodes deployment 4 ise .

ISE1 primary administration & secondary monitoring

ise2 secondary administration& primary monitoring

On ISE self-signed certificates expired.

I've tried to certificate renew, it look like ok, but it wasnt, old certificate is still there.

Tried to delete old certificate, but i had error "unable to delete certificates that are associated with a protocol"

Can you hel here please, i cant renew at all certificate

Cheers

Karsten Iwen · ‎11-06-2016

The initial selfsigned certificates are not really meant to be used in production. The best way to use certificates depends on the intended usage.

Without knowing what you are doing with your ISE, a usual way is to generate a certificate with SANs for both nodes (and if needed for sponsor/mydevices) and import the new certificate in both nodes. After that you assign the protocols to this new certificates and then the old one can be deleted.

I assume you don't have a CA in place, in that case I would generate the certificates on a Linux-Box or Mac with openSSL.

cheungchunyu · ‎11-07-2016

Hello

After you renew the cert ,you need to replace the old cert in "system cert"

When you replace the cert ,remember to chose default cert group.This can replace the cert is using in the portal(admin,sponsor and hotspot)

Duncan

biakorofidorel · ‎11-07-2016

Hello Duncan,

I have even try to renew the actuel cert and even create a new one. Alls the process looks like ok, but the old certificate is still there.

Where to replace this old expired cert ?

Karsten Iwen · ‎11-08-2016

You old Certificate is still in use and it seems that there is no new one. First make sure that you get your new certificate, then configure this one for all protocols (at least HTTPS and EAP are enabled on the old cert). After that you can delete the old certificate.