Introduction
This document describes how to take system certificate backup of Identity Service Engine (ISE).
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Basic knowledge of Identity Service Engine (ISE)
Components Used
The information in this document is based on Cisco Identity Service Engine 2.7
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Background Information
ISE uses certificates for the various purposes (Web UI, Web Portals, EAP, pxgrid). Certificate present on ISE can have one of these roles:
-
Admin: For internode communication and authenticating the Admin portal.
-
EAP: For EAP authentication.
-
RADIUS DTLS: For RADIUS DTLS server authentication.
-
Portal: For communicating with all Cisco ISE end-user portals.
-
PxGrid: For communicating with the pxGrid controller.
It is important to take a backup of certificates installed on ISE nodes. When we take configuration backup it takes the backup of configuration data and certificate of admin node. But for Policy service nodes (PSN) we have to take a backup of certificates individually.
How to take the Certificate Backup of Identity Service Engine?
Navigate to Administration > System > Certificates > Certificate Management> System certificate. Expand the node, select the certificate, and click Export, as shown in the image:

Select the Export Certificate and Private Key. Enter a minimum 8 character in length alpha-numeric password. This password would be needed to restore the certificate.

Tip:Ensure that you remember the password.
How to Import a Certificate on the Identity Service Engine?
There are two steps involved in importing a certificate on ISE.
Step 1. Find out if the certificate is self-signed or 3rd party signed certificate.
If the certificate is self-signed then import the public key of the certificate under trusted certificates, If the certificate singed some third party certificate then Import Root and all intermediate certificate of the certificate.
Navigate to Administration > System > Certificates > Certificate Management > Trusted Certificate, click Import, as shown in this image.


Step 2. Import the actual certificate.
Navigate to Administration > System > Certificates > Certificate Management, click Import. If the admin role is assigned to the certificate service on the node would restart.

Select the node for which you want to import the certificate, Browse public and private key, Enter the password for the private key of the certificate, select the desired role, click Submit, as shown in this image.
