09-30-2014 10:44 AM - edited 03-10-2019 10:04 PM
Hello Guys,
I have an environment with two admin/monitoring(ISEA-1, ISEA-2) nodes and tow psn(ISEB-1, ISEB-2) nodes.
My certificate exires in one month, so i need to change this as soon as possible.
I need to know if it's possible to generate the new certificate(using a third part CA) using the current csr, can i?
Will i have some problem because this?
I tried to create other csr using the same CN and i got the error "This certificate already exists".
Thank you,
Rafael
Solved! Go to Solution.
09-30-2014 01:44 PM
Generally, the answer is: Yes, you can use the existing CSR with another CA, unless the new CA has some extra requirements that are missing from that existing CSR.
On the other hand, you can safely delete the existing CSR without affecting the production of the environment. Also, you can use a third party tool such as openSSL to generate a new CSR. Once the CSR is signed you can import the certificate along with the private key to your ISE servers. You can then change the settings so the servers are using the new certificates (restart will be required if used for the HTTP/HTTPS service).
Thank you for rating helpful posts!
10-10-2014 07:51 PM
The endpoints can be exported from the old system and then imported in the new one. Here is how I would do it:
1. Export the endpoints from old system
2. Generate a new "Import" template from "Administration > Identity Management > Identities > Endpoints > Import > Import from a file"
3. Take the values from step #1 and paste them in the new import file and make adjustments (if needed)
4. Import the endpoints
Thank you for rating helpful posts!
09-30-2014 01:44 PM
Generally, the answer is: Yes, you can use the existing CSR with another CA, unless the new CA has some extra requirements that are missing from that existing CSR.
On the other hand, you can safely delete the existing CSR without affecting the production of the environment. Also, you can use a third party tool such as openSSL to generate a new CSR. Once the CSR is signed you can import the certificate along with the private key to your ISE servers. You can then change the settings so the servers are using the new certificates (restart will be required if used for the HTTP/HTTPS service).
Thank you for rating helpful posts!
10-01-2014 09:42 AM
Hi Neno,
Ok!
I appreciate your help!
Thank you!
10-01-2014 10:26 AM
No problem! If you are issue is resolved you should mark your thread as "answered" ;)
10-02-2014 10:44 AM
Hi Neno,
More one question.
I'm constructing an new environment that will have four ISE Machines in version 1.2.1, i will export the backup of the current machines that are in version 1.1.2.145 and import this in the new machines.
The new machines will have different hostnames than the current machines, example:
Current machines:
ISE-1.mydomain.com
ISE-2.mydomain.com
ISE-3.mydomain.com
ISE-4.mydomain.com
New Machines
ISE-1-NEW.mydomain.com
ISE-2-NEW.mydomain.com
ISE-3-NEW.mydomain.com
ISE-4-NEW.mydomain.com
The question is, will i have problems in the backup import process because the version or the differences between the hostname of the machines?
Thank you,
10-02-2014 11:00 AM
It is technically supported but I have personally never done it:
I would recommend that you upgrade the current environment to the latest version and patch that way you don't run into any incompatibility issues.
An even better/cleaner solution would be to build the new infrastructure and configure it manually from scratch and use the old environment for reference. I am assuming you will be using different hostnames, IPs, etc. This will require new certificates, license keys, etc so dealing with backup/restore might just be more of a pain for you. Up to you :)
Thank you for rating helpful posts!
10-10-2014 10:58 AM
Okay.
i will build a new infrastructure from scratch.
I agree with you, but, i'm afraid about this, i have a lot of mac adressess inputed in your ISE base for MAB Auth, more than 5K, so it will be laborious.
Is there any way to input this mac's automatically? I can configure the rules for authentication and authotization again with no problems, but, like i said, our mab base is very big to configure manually one by one again.
Thank you!
10-10-2014 07:51 PM
The endpoints can be exported from the old system and then imported in the new one. Here is how I would do it:
1. Export the endpoints from old system
2. Generate a new "Import" template from "Administration > Identity Management > Identities > Endpoints > Import > Import from a file"
3. Take the values from step #1 and paste them in the new import file and make adjustments (if needed)
4. Import the endpoints
Thank you for rating helpful posts!
10-11-2014 10:50 AM
I agree - endpoint export-import works well. I've done it on systems with no problem.
+5
10-13-2014 05:51 AM
Ok Guys, i'll do this next month, i let you know if this worked good in my environment or not, i guess we won't have problems.
I appreciate your help.
Thank you,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide