Phase 2: Import & Bind

Phase 2: Import & Bind to ISE

Prerequisites

  • Signed certificate received from CA

  • Certificate chain complete (root + intermediate + leaf)

  • Maintenance window scheduled — ISE services restart when admin cert changes

  • Rollback plan: current cert backed up

Verify Signed Certificate Before Import

# Check the signed cert
openssl x509 -in /path/to/signed-cert.pem -noout -subject -issuer -dates -ext subjectAltName

# Verify CN is NOT wildcard
openssl x509 -in /path/to/signed-cert.pem -noout -subject | grep -v '\*'
# If this grep returns nothing, the wildcard is in the CN — REJECT THE CERT

# Verify chain
openssl verify -CAfile /path/to/ca-chain.pem /path/to/signed-cert.pem

Import into ISE

ISE Admin GUI path
Administration > System > Certificates > System Certificates > Import

Fields:
  - Select Certificate File: signed-cert.pem
  - Select Key File: ise-cert-renewal-2026.key (decrypted)
  - Certificate Chain: ca-chain.pem (root + intermediate)
  - Friendly Name: ISE-Wildcard-2026-renewal
  - Allow Wildcard Certificates: CHECKED
  - Usage:
    ✅ Admin
    ✅ EAP Authentication
    ✅ Portal
    ✅ pxGrid
Selecting "Admin" will trigger an ISE application service restart on this node. Do this during the maintenance window.

Bind to All Nodes

The wildcard cert must be imported to every ISE node (PAN + all PSNs). Repeat the import on each node, or use ISE’s certificate propagation if available in your version.

  • PAN — imported, all roles bound

  • PSN 1 — imported, all roles bound

  • PSN 2 — imported, all roles bound

  • additional nodes

Rolling Restart Sequence

1. Import cert on PSN nodes FIRST (non-primary)
2. Verify PSN services restart and come back healthy
3. Import cert on PAN LAST
4. Verify PAN services restart
5. Check inter-node communication (Administration > System > Deployment)

Backup Current Certificate

Before replacing, export the current cert from ISE:

Administration > System > Certificates > System Certificates
  > Select current cert > Export

Save to: data/d001/projects/ise-annual-cert-renewal/certs/ise-cert-pre-renewal-backup.pem
Encrypt: encrypt-file data/d001/projects/ise-annual-cert-renewal/certs/ise-cert-pre-renewal-backup.pem