Explore Cisco
How to Buy

Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Import and Export Certificates in ISE

Available Languages

Download Options

  • PDF     (785.7 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (842.1 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (573.4 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:June 15, 2021
Document ID:215927

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to import and export the certificates in Cisco Identity Service Engine (ISE).

    Background Information

    ISE uses certificates for various purposes (Web UI, Web Portals, EAP, pxgrid).  Certificate present on ISE can have one of these roles:

    • Admin: For internode communication and authentication of the Admin portal.

    • EAP: For EAP authentication.

    • RADIUS DTLS: For RADIUS DTLS server authentication.

    • Portal: In order to communicate among all Cisco ISE end-user portals.

    • PxGrid: In order to communicate between the pxGrid controller.

    It is important to take a backup of certificates installed on ISE nodes. When you take the configuration backup, the backup of configuration data and certificate of the admin node is taken. However, for other nodes, the backup of certificates is taken individually.

    Export the Certificate in ISE

    Navigate to Administration > System > Certificates > Certificate Management> System certificate. Expand the node, select the certificate, and click Export, as shown in the image:

    As shown in this image, select the Export Certificate and Private Key. Enter a minimum 8 character in length alpha-numeric password. This password is required to restore the certificate.

    Tip: Do not forget the password.

    Import the Certificate in ISE

    There are two steps involved to import the certificate on ISE.

    Step 1. Find out if the certificate is self-signed or 3rd party signed certificate.

    • If the certificate is self-signed, import the public key of the certificate under trusted certificates.
    • If the certificate is signed by some third-party certificate authority, Import Root and all other intermediate certificates of the certificate.

    Navigate to Administration > System > Certificates > Certificate Management > Trusted Certificate, click Import, as shown in this image.

    Step 2. Import the actual certificate.

    1. As shown in this image, navigate to Administration > System > Certificates > Certificate Management, click Import. If the admin role is assigned to the certificate, the service on the node restarts.

    2. Select the node for which you want to import the certificate.

    3. Browse the public and private keys.

    4. Enter the password for the private key of the certificate and select the desired role.

    5. Now click Submit, as shown in this image.

    TAC Authored

    Contributed by Cisco Engineers

    • Pankaj Kumar
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products