Restore Certificates on the PAN
When you upgrade a distributed deployment, the Primary Administration Node's root CA certificates are not added to the Trusted
Certificates store if both of the following conditions are met:
If the certificates are not in the store, you may see authentication failures with the following errors:
You can see these messages when you click the More Details link from the Live Logs page for failed authentications.
To restore the Primary Administration Node's root CA certificates, generate a new Cisco ISE Root CA certificate chain. In the Cisco ISE GUI, click the Menu icon (
) and choose
.
Restore Certificates and Keys to Secondary Administration Node
If you are using a secondary Administration node, obtain a backup of the Cisco ISE CA certificates and keys from the Primary
Administration Node, and restore it on the Secondary Administration Node. This allows the Secondary Administration Node to
function as the root CA or subordinate CA of an external PKI if the primary PAN fails, and you promote the Secondary Administration
Node to be the Primary Administration Node.
For more information about backing up and restoring certificates and keys, see:
Backup and Restore of Cisco ISE CA Certificates and Keys