New certificate successfully updated on primary PAN but never made it to the secondary nodes.
Solution:
Export successfully imported cert and private key (with password).
Import to the secondary nodes from primary PAN manually.
Select proper node, do not check “Allow wildcard certificates”, select proper roles.
1 comments On Cisco ISE || Wildcard Certificate update fails on secondary nodes
Thank you .
Our environment also hit below bug where wildcard cert not able to push on secondary node
https://bst.cisco.com/bugsearch/bug/CSCwd10951
We have fixed this issue with below steps :-
1) deregister the ISE node 2 from deployment .
2) Export the new wildcard certificate from ISE node 1 with key.
2) Import this new wild card certificate manually on ISE node 2
3) Set the usage of new wildcard certificate for admin roles on ISE node 2
4) Map the new wildcard certificate for admin roles on ISE node 1
5) Register the ISE Node 2 again in deployment . At this time both nodes have new wildcard certificate and already mapped with admin roles.
6) Assign the roles on personas on ISE node 2
7) Check the Sync option in deployment .