Troubleshoot Expired ISE Admin Certificate

Available Languages

Download Options

  • PDF     (2.8 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (3.1 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (2.1 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:January 29, 2025
Document ID:222732

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to troubleshoot and renew an expired Cisco Identity Services Engine (ISE) Admin Certificate.

    Prerequisites

    Requirements

    Cisco recommends that you have the knowledge of these topics:

    • Cisco ISE Deployment.
    • Certificate Management in Cisco ISE.

    Components Used

    The information in this document is based on these software version:

    • Cisco Identity Services Engine (ISE) version 3.3 Patch4.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    This document focuses on the distributed deployment; however, you can use the same troubleshooting plan on standalone node.

    In ISE Distributed Deployment, the node is either Primary Admin Node (PPAN) or secondary.

    This document uses ISE Admin certificate as a self-signed certificate in order to demonstrate the impact of certificate expired, but this approach is not recommended for a production system. It is better to use authority-signed certificate for admin usage.

    Note: Cisco recommends you to keep your Admin certificate in health state and plan the renewal in advance, find this guide to help you track and renew ISE System Certificates (Configure Certificate Renewals on ISE).

    ISE Admin Certificate (Expired)

    Validate Admin Certificate Status

    Step 1. Check the deployment status. Navigate to Administration > System > Deployment.

    You can check the secondary nodes status, as shown, the three secondary nodes are (Not in Sync).

    Deployment StatusDeployment Status

    Step 2. Review the Alarms. Navigate to Dashboard > Alarms > (Certificate Expired).

    To confirm which node and which certificate is expired.

    Note: If the Primary Admin Node (PPAN) expired before any secondary node you can not see any alarms from that node, that is what happened for Secondary Admin Node (SPAN) in this alarm.

    Alarms (Certificate Expired)Alarms (Certificate Expired)

    Step 3. Check the admin certificate status. Navigate to Administration > System > Certificates > Certificate Management > System Certificates > Expand node.

    1. Primary Admin Node (PPAN):

    PPAN Admin Certificate StatusPPAN Admin Certificate Status

    2. Secondary nodes.

    For the secondary nodes it could be 1 of 2 options and in both cases you must apply the same action plan:

    A. Can Expand the node system certificate and confirm that the admin certificate is expired:

    Secondary Node Admin Certificate StatusSecondary Node Admin Certificate Status

    B. Throw error ("Error loading certificates. Node not reachable at this time. Try again later.") as shown for (ise-psn2

    Secondary Node Not ReachableSecondary Node Not Reachable

    Action Plan

    After you confirm the admin certificate expired for all 4 nodes, you must apply these steps:

    Step 1. Deregister all secondary nodes from the distributed deployment (only if the admin certificate is expired).

    Navigate to Administration > System > Deployment > Check [ √ ] of the secondary nodes and click Deregister.

    Note: Deregister the node means it move to standalone then you can renew the admin certificate on this node.

    Deregister Secondary NodesDeregister Secondary Nodes

    Note: Remember to deregister only secondary nodes where the admin certificate is already expired and to keep the rest. In this document, all the secondary nodes are expired.

    All Secondary Nodes are DeregisteredAll Secondary Nodes are Deregistered

    Step 2. Renew admin certificate of the Primary Admin Node (PPAN).

    1. Navigate to Administration > System > Certificates > Certificate Management > System Certificates > Click +Generate Self Signed Certificate:

    Generate new Self-Signed Admin CertificateGenerate new Self-Signed Admin Certificate

    2. Select the Primary Admin Node (PPAN) (ise-ppan) and fill the certificate information:

    Select the Primary Admin Node (PPAN)Select the Primary Admin Node (PPAN)

    3. Check [ √ ] the Admin usage.

    Admin UsageAdmin Usage

    4. Set the Restart Time to Restart Now for the Primary Admin Node (PPAN). Set all nodes on the deployment either to Restart Now or Restart Later.

    After you renew an admin certificate (a certificate configured for admin usage) on the Primary Admin Node (PPAN), all the nodes in your deployment must be restarted.

    Set Restart Time to NowSet Restart Time to Now

    5. Click Submit.

    Note: After you renew an admin certificate (a certificate configured for admin usage) on the Primary Admin Node (PPAN) all the nodes in your deployment must be restarted. You can either restart each node immediately or schedule the restarts later. This feature allows you to ensure that no running processes are disrupted by the automatic restarts, giving you greater control over the process.

    You can view and edit the scheduled restarts in the Administration > System > Certificates > Admin Certificate Node Restart window, which is available from Cisco ISE Release 3.3.

    6. Verify the new admin certificate of the Primary Admin Node (PPAN).

    Navigate to Administration > System > Certificates > Certificate Management > System Certificates > Expand (ise-ppan).

    New Admin Certificate (ise-ppan)New Admin Certificate (ise-ppan)

    Step 3. Renew admin certificate of the secondary nodes.

    1. Confirm the secondary node on standalone deployment after deregistered from the distributed deployment.

    Browse the node via GUI (https://<FQDN/IP>) and navigate to Administration > System > Deployment.

    (ise-span) on Standalone Deployment(ise-span) on Standalone Deployment

    2. Navigate to Administration > System > Certificates > Certificate Management > System Certificates > Click +Generate Self Signed Certificate.

    Generate new Self-Signed Admin CertificateGenerate new Self-Signed Admin Certificate

    3. Select the (ise-span) and fill the certificate information.

    Select the NodeSelect the Node

    4. Check [ √ ] the Admin usage.

    Admin UsageAdmin Usage

    Note: Changing the certificate of the admin role certificate on ISE node restarts services.

    5. Click Submit.

    6. Verify the new admin certificate on (ise-span).

    Navigate to Administration > System > Certificates > Certificate Management > System Certificates > Expand (ise-span).

    New Admin Certificate (ise-span)New Admin Certificate (ise-span)

    Step 4. Register the secondary nodes to the distributed deployment.

    Set up your deployment personas and roles as it was before (Admin, MNT, PSN, etc).

    1. From Primary Admin Node (PPAN) GUI. Navigate to Administration > System > Deployment > Click Register.

    Primary Admin Node (PPAN) GUIPrimary Admin Node (PPAN) GUI

    2. Enter the FQDN and credentials of the secondary node (User Name/Password).

    Enter the DNS-resolvable fully qualified domain name (FQDN) of the standalone node that you are going to register. The FQDN of the (PPAN) and the node being registered must be resolvable from each other.

    Enter Secondary Node AccessEnter Secondary Node Access

    3. Enable the correct persona and services.

    Register Secondary Node (ise-span)Register Secondary Node (ise-span)

    Step 5. Verify the deployment status.

    Navigate to Administration > System > Deployment.

    (ise-span) Added to the Deployment(ise-span) Added to the Deployment

    Troubleshoot

    Use Case 1: Deregistered Secondary Node Stuck on Distributed State (ise-psn1)

    Validate the Status

    Step 1. Confirm the distributed deployment status.

    From Primary Admin Node (PPAN) GUI. Navigate to Administration > System > Deployment. You can confirm this node (ise-psn1) is already deregisted.

    (PPAN) Deployment Nodes(PPAN) Deployment Nodes

    Step 2. Confirm the (ise-psn1) node status.

    Browse the secondary node via GUI (https://ise-psn1.kdlab.local) and navigate Login > About ISE and Server.

    Secondary Node (ise-psn1) Stuck on Distributed Deployment StatusSecondary Node (ise-psn1) Stuck on Distributed Deployment Status

    Workaround

    Step 1. Deregister the (ise-psn1) node manually.

    Enforce the (ise-psn1) node to standalone deployment via GUI (https://<ise-psn1 IP>/deployment-rpc/deregister-node).

    Deregister the Node Manually - GUIDeregister the Node Manually - GUI

    Step 2. Verify the (ise-psn1) now on standalone deployment.

    (ise-psn1) on Standalone Deployment(ise-psn1) on Standalone Deployment

    Step 3. Once you can confirm the node on standalone status, proceed with the same steps on Action Plan section:

    1. Renew admin certificate of the (ise-psn1) Node.
    2. Register the(ise-psn1) node to the distributed deployment.
    3. Verify the deployment status.

    (ise-psn1) Added to the Deployment(ise-psn1) Added to the Deployment

    Use Case 2: Deregistered Secondary Node GUI Unreachable (ise-psn2)

    Validate the Status

    Step 1. Confirm the distributed deployment status.

    From Primary Admin Node (PPAN) GUI. Navigate to Administration > System > Deployment. You can confirm this node (ise-psn2) is already deregisted.

    (PPAN) Deployment Nodes(PPAN) Deployment Nodes

    Step 2. Confirm the (ise-psn2) node status.

    Due to the admin certificate is expired in some cases you can hit these symptoms:

    • (ise-psn2) GUI unreachable.
    • (ise-psn2) CLI (show application status ise) ISE application is stuck on (initializing or not running).
    • (ise-psn2) CLI (show tech) the node already on standalone deployment.

    (ise-psn2) on Standalone Deployment(ise-psn2) on Standalone Deployment

    Workaround

    Step 1. Renew admin certificate of the (ise-psn2) Node.

    1. Login to (ise-psn2) via CLI.
    2. Enter application configure ise.
    3. Enter 31 ([31] Generate Self-Signed Admin Certificate)).
    4. Do you want to continue? y/[n]: y
    5. Do you want to replace existing certificate after generation? y/[n]: y

    Renew (ise-psn1) Admin CertificateRenew (ise-psn1) Admin Certificate

    6. Verify the new admin certificate on (ise-psn2).

    New Admin Certificate (ise-psn2)New Admin Certificate (ise-psn2)

    Step 2. Register the(ise-psn2) node to the distributed deployment.

    Step 3. Verify the deployment status.

    The Deployment in Sync Again!The Deployment in Sync Again!

    References

    Relevant

    Revision History

    Revision Publish Date Comments
    2.0
    29-Jan-2025
    Initial Release
    1.0
    27-Jan-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Khaled Douma
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products