06-14-2018 02:43 PM
Are system certificates included in a configuration backup of ISE? If so, what happens during a restore? Are the existing system certificates on the target system deleted and replaced with the system certificates from the backup?
Solved! Go to Solution.
06-14-2018 07:50 PM
Yes they are.
You can only restore a config backup on a standalone node. Once restored, you'll have the appropriate system cert that matches the hostname. Let's say your old pan was ise01 and you had a system cert for that. If int he deployment you also had ise02, ise03 with their own system certs, and if you restored the backup onto one of them, then I think ISE is clever enough to apply the appropriate system cert to the standalone node.
However, when you register additional nodes back into the deployment then those standalone nodes will know nothing about the PAN. You'll have to prep each standalone with your PKI Trusted Certs and then the node's system certs prior to registering it with the PAN. You could cheat and use self-signed certs but that's not cool.
06-14-2018 07:50 PM
Yes they are.
You can only restore a config backup on a standalone node. Once restored, you'll have the appropriate system cert that matches the hostname. Let's say your old pan was ise01 and you had a system cert for that. If int he deployment you also had ise02, ise03 with their own system certs, and if you restored the backup onto one of them, then I think ISE is clever enough to apply the appropriate system cert to the standalone node.
However, when you register additional nodes back into the deployment then those standalone nodes will know nothing about the PAN. You'll have to prep each standalone with your PKI Trusted Certs and then the node's system certs prior to registering it with the PAN. You could cheat and use self-signed certs but that's not cool.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide