Phase 3: Validation
Phase 3: Validation
Verify New Certificate Is Served (All Nodes, All Ports)
for host in {ise-pan-fqdn} {ise-psn1-fqdn} {ise-psn2-fqdn}; do
for port in 443 8443 1812 8910; do
echo "=== $host:$port ==="
openssl s_client -connect "$host:$port" </dev/null 2>/dev/null \
| openssl x509 -noout -subject -issuer -dates -fingerprint -sha256
echo
done
doneVerify CN and SAN
# CN must be specific FQDN — NOT wildcard
openssl s_client -connect {ise-pan-fqdn}:443 </dev/null 2>/dev/null \
| openssl x509 -noout -subject
# Expected: CN = access2.ise.chla.org
# SAN must contain wildcard
openssl s_client -connect {ise-pan-fqdn}:443 </dev/null 2>/dev/null \
| openssl x509 -noout -ext subjectAltName
# Expected: DNS:*.ise.chla.orgVerify Chain Is Complete
openssl s_client -connect {ise-pan-fqdn}:443 -showcerts </dev/null 2>/dev/null \
| openssl verify -show_chainISE Deployment Health
! ISE Admin GUI
Administration > System > Deployment
- All nodes should show green/connected
- No "Certificate Error" warnings
! ISE CLI (SSH to each node)
show application status ise
show ntpTest 802.1X EAP Authentication
-
Windows supplicant connects via 802.1X (PEAP or EAP-TLS)
-
No certificate warning on supplicant
-
ISE live logs show successful EAP auth with new cert
-
macOS/Linux supplicant connects (if applicable)
Test Portal Access
-
Guest portal loads without cert warning:
{ise-pan-fqdn}:8443/portal/ -
Sponsor portal loads
-
BYOD portal loads
Test pxGrid
-
pxGrid clients reconnect after renewal
-
SIEM integration receiving data
-
MDM integration functional
Compare Fingerprints (Old vs New)
# New cert fingerprint
openssl s_client -connect {ise-pan-fqdn}:443 </dev/null 2>/dev/null \
| openssl x509 -noout -fingerprint -sha256
# Compare against pre-renewal backup
openssl x509 -in data/d001/projects/ise-annual-cert-renewal/certs/ise-cert-pre-renewal-backup.pem \
-noout -fingerprint -sha256
# They should be DIFFERENT — if same, the import didn't take