Solved: ISE Certificates

Rafael Mendes · ‎09-30-2014

Hello Guys,

I have an environment with two admin/monitoring(ISEA-1, ISEA-2) nodes and tow psn(ISEB-1, ISEB-2) nodes.

My certificate exires in one month, so i need to change this as soon as possible.

I need to know if it's possible to generate the new certificate(using a third part CA) using the current csr, can i?

Will i have some problem because this?

I tried to create other csr using the same CN and i got the error "This certificate already exists".

Thank you,

Rafael

nspasov · ‎09-30-2014

Generally, the answer is: Yes, you can use the existing CSR with another CA, unless the new CA has some extra requirements that are missing from that existing CSR.

On the other hand, you can safely delete the existing CSR without affecting the production of the environment. Also, you can use a third party tool such as openSSL to generate a new CSR. Once the CSR is signed you can import the certificate along with the private key to your ISE servers. You can then change the settings so the servers are using the new certificates (restart will be required if used for the HTTP/HTTPS service).

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎10-10-2014

The endpoints can be exported from the old system and then imported in the new one. Here is how I would do it:

1. Export the endpoints from old system

2. Generate a new "Import" template from "Administration > Identity Management > Identities > Endpoints > Import > Import from a file"

3. Take the values from step #1 and paste them in the new import file and make adjustments (if needed)

4. Import the endpoints

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎09-30-2014

Generally, the answer is: Yes, you can use the existing CSR with another CA, unless the new CA has some extra requirements that are missing from that existing CSR.

On the other hand, you can safely delete the existing CSR without affecting the production of the environment. Also, you can use a third party tool such as openSSL to generate a new CSR. Once the CSR is signed you can import the certificate along with the private key to your ISE servers. You can then change the settings so the servers are using the new certificates (restart will be required if used for the HTTP/HTTPS service).

Thank you for rating helpful posts!

Rafael Mendes · ‎10-01-2014

Hi Neno,

Ok!

I appreciate your help!

Thank you!

nspasov · ‎10-01-2014

No problem! If you are issue is resolved you should mark your thread as "answered" ;)

Rafael Mendes · ‎10-02-2014

Hi Neno,

More one question.

I'm constructing an new environment that will have four ISE Machines in version 1.2.1, i will export the backup of the current machines that are in version 1.1.2.145 and import this in the new machines.

The new machines will have different hostnames than the current machines, example:

Current machines:
ISE-1.mydomain.com
ISE-2.mydomain.com
ISE-3.mydomain.com
ISE-4.mydomain.com

New Machines
ISE-1-NEW.mydomain.com
ISE-2-NEW.mydomain.com
ISE-3-NEW.mydomain.com
ISE-4-NEW.mydomain.com

The question is, will i have problems in the backup import process because the version or the differences between the hostname of the machines?

Thank you,

nspasov · ‎10-02-2014

It is technically supported but I have personally never done it:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/upgrade_guide/b_ise_upgrade_guide/b_ise_upgrade_guide_chapter_010.html

I would recommend that you upgrade the current environment to the latest version and patch that way you don't run into any incompatibility issues.

An even better/cleaner solution would be to build the new infrastructure and configure it manually from scratch and use the old environment for reference. I am assuming you will be using different hostnames, IPs, etc. This will require new certificates, license keys, etc so dealing with backup/restore might just be more of a pain for you. Up to you :)

Thank you for rating helpful posts!

Rafael Mendes · ‎10-10-2014

Okay.

i will build a new infrastructure from scratch.

I agree with you, but, i'm afraid about this, i have a lot of mac adressess inputed in your ISE base for MAB Auth, more than 5K, so it will be laborious.

Is there any way to input this mac's automatically? I can configure the rules for authentication and authotization again with no problems, but, like i said, our mab base is very big to configure manually one by one again.

Thank you!

nspasov · ‎10-10-2014

The endpoints can be exported from the old system and then imported in the new one. Here is how I would do it:

1. Export the endpoints from old system

2. Generate a new "Import" template from "Administration > Identity Management > Identities > Endpoints > Import > Import from a file"

3. Take the values from step #1 and paste them in the new import file and make adjustments (if needed)

4. Import the endpoints

Thank you for rating helpful posts!

Marvin Rhoads · ‎10-11-2014

I agree - endpoint export-import works well. I've done it on systems with no problem.

+5

Rafael Mendes · ‎10-13-2014

Ok Guys, i'll do this next month, i let you know if this worked good in my environment or not, i guess we won't have problems.

I appreciate your help.

Thank you,