1. Default Certificates on a new ISE 3.1 installation
Certificate Services Chain:
Root CA - ISE31A >>>> Node CA - ISE31A >>>> Endpoint Sub CA >>> ISE messaging Service
>>> pxGrid
ISE-B has similar system cert and trusted cert, once it joins cluster, ISE-B root CA , Node CA and Sub CA are automatically deleted from ISE-B, then new Node CA, new Sub CA certificates are generated chain to ISE-A root. This left ISE-A the only root CA in the cluster. If this doesn't happen, we need re-generate Messaging Service Cert, otherwise we may get "queue link error", view Messaging Service Cert on ISE-B show chain is broken, to fix it:
1. Go to ISE31A admin gui
2. Navigate to Administration > System > Certificate
3. Click "Certificate Signing Requests" > click "Generate Certificate Signing Requests (CSR)" button
4. In Usage: Certificate(s) will be used for, choose "ISE Messaging Service"
2. Navigate to Administration > System > Certificate
3. Click "Certificate Signing Requests" > click "Generate Certificate Signing Requests (CSR)" button
4. In Usage: Certificate(s) will be used for, choose "ISE Messaging Service"
5. Check "Regenerate ISE Messaging Service Certificate".
6. In the node list, check ISE31B only, click Generate.
6. In the node list, check ISE31B only, click Generate.
Once ISE-B is registered and rebooted, ISE-B GUI only shows System Certificates.
Review ISE-B System and PSN ISE-C Certificates, delete Messaging Service and pxGrid certificates which lead to obsoleted ISE-B root CA in the chain.
In cluster, PSN doesn't have Node CA, only sub CA:
2. Default Certificates on a new ISE 3.3 installation
Comments
Post a Comment