Service impact on ISE certificate renewal

CCC3 · ‎04-23-2024

Hello.

I'm trying to renew the ISE's certificate, but I'm using both admin and eap authentication, portal, and radius DTLS.

In this case, I would like to know if renewing this certificate will reboot the ISE or if it will cause downtime.

The certificate is a private certificate.

MHM Cisco World · ‎04-23-2024

Renew the admin cert. Will automatically need restart ISE

MHM

CCC3 · ‎04-23-2024

Would there be a downtime if I only renewed for eap authentication apart from the admin certificate?

MHM Cisco World · ‎04-24-2024

Will check and I will share some note about how you renew cert. Without loss service.

In end keep in mind that you need to use same name in CN or SAN.

MHM

Rob Ingram · ‎04-24-2024

@CCC3 only replacing the admin certificate requires the ISE application services to restart. Renewing the EAP authentication certificate will not require downtime.

Aref Alsouqi · ‎04-24-2024

As @Rob Ingram mentioned, renewing ISE admin cert would require ISE services to be restarted (I am not sure if this behaviour has changed in ISE 3.3 as per the below link). However, if you have EAP authentication usage associated to the same certificate, then during the renewal process there will be a brief amount of downtime for the dot1x re-authentication and new authentication sessions, because during that time ISE won't be able to present its identity certificate to the clients during negotiation. On the other side, if EAP authentication usage is associated to a different certificate, and you go and renew the admin certificate then authentication sessions wouldn't be affected.

Configure Controlled Application Restart in ISE 3.3 - Cisco