https://community.cisco.com/t5/network-access-control/import-root-certificate-with-same-subject-and-issuer-name/m-p/3695315#M508064 <P>Thanks&nbsp;<SPAN>Hosuk</SPAN> for your response. It answered my questions.</P> Mon, 27 Aug 2018 07:15:31 GMT Neelesh Marathe 2018-08-27T07:15:31Z https://community.cisco.com/t5/network-access-control/import-root-certificate-with-same-subject-and-issuer-name/m-p/3691935#M508060 <P>Hello Team,</P> <P>&nbsp;</P> <P>We have total 22 ISE nodes ( Including Admin+Mnt) in cluster and using ISE 2.4 version. We have already installed identity certificate for every node from private CA and assigned "Admin" role in ISE. We have also installed root certificate in Trusted store.&nbsp;All the certificates are SHA1 certificates.</P> <P>&nbsp;</P> <P>Now customer has upgraded the same Certificate Authority server to support SHA 2 and provided us new identity and root certificates.</P> <P>&nbsp;</P> <P>While importing the new root certificate, it is giving the following error.</P> <P><FONT size="1 2 3 4 5 6 7"><STRONG>"There is one system certificate with the same subject name and issuer but having a different serial number. Importing was aborted. For successful importing, you need to remove the other certificate first</STRONG></FONT>"</P> <P>&nbsp;</P> <P>My questions are,</P> <P>1. If I remove the earlier root certificate, not changing identity certificate role, will it impact ISE functionality?</P> <P>2. Do I need to change "Admin role" to some other certificate first and then remove the root certificate ? and then install new root and Identity certificates.</P> <P>&nbsp;</P> <P>Could you please guide us the correct way of importing the certificates in this scenarios</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Neelesh Marathe</P> Tue, 21 Aug 2018 07:20:03 GMT https://community.cisco.com/t5/network-access-control/import-root-certificate-with-same-subject-and-issuer-name/m-p/3691935#M508060 Neelesh Marathe 2018-08-21T07:20:03Z https://community.cisco.com/t5/network-access-control/import-root-certificate-with-same-subject-and-issuer-name/m-p/3692254#M508062 <P>1. Yes, but you will not be able to remove the root CA certificate until none of the identity certificates are tied to the old root CA</P> <P>2. Yes, but make sure even after using another certificate temporarily, that the communication between PAN and secondary nodes are functioning before proceeding.</P> Tue, 21 Aug 2018 15:10:14 GMT https://community.cisco.com/t5/network-access-control/import-root-certificate-with-same-subject-and-issuer-name/m-p/3692254#M508062 howon 2018-08-21T15:10:14Z https://community.cisco.com/t5/network-access-control/import-root-certificate-with-same-subject-and-issuer-name/m-p/3695315#M508064 <P>Thanks&nbsp;<SPAN>Hosuk</SPAN> for your response. It answered my questions.</P> Mon, 27 Aug 2018 07:15:31 GMT https://community.cisco.com/t5/network-access-control/import-root-certificate-with-same-subject-and-issuer-name/m-p/3695315#M508064 Neelesh Marathe 2018-08-27T07:15:31Z