https://community.cisco.com/t5/network-access-control/certificate-private-key-validation-failed/m-p/3558263#M520133 <HTML><HEAD></HEAD><BODY><P>Hi again yes you can use self signed certificate for different portals.Just go in certificate authority system certificates choose self-sign certificate&nbsp; and edit it to use for portals .</P></BODY></HTML> Fri, 10 Nov 2017 09:33:42 GMT ognyan.totev 2017-11-10T09:33:42Z https://community.cisco.com/t5/network-access-control/certificate-private-key-validation-failed/m-p/3558260#M520130 <HTML><HEAD></HEAD><BODY><P>Hi Team,</P><P></P><P>Facing an issue while importing certificate in the ISE 2.3 PoV. The onsite partner has clarified that the CSR file created and signed by the CA (digicert is used for signing the request) has been created as per the documented process but at the time of importing throws the error of Certificate/Private Key validation failed. The error is as attached here.</P><P></P><P>Kindly suggest for any specific conditions to be checked on the same.</P></BODY></HTML> Tue, 07 Nov 2017 07:56:56 GMT https://community.cisco.com/t5/network-access-control/certificate-private-key-validation-failed/m-p/3558260#M520130 ymadheka 2017-11-07T07:56:56Z https://community.cisco.com/t5/network-access-control/certificate-private-key-validation-failed/m-p/3558261#M520131 <HTML><HEAD></HEAD><BODY><P>I think this is because missing ROOT CA in trusted store .This will help you <A href="https://community.cisco.com/docs/DOC-68164">How To: Implement ISE Server-Side Certificates</A></P></BODY></HTML> Tue, 07 Nov 2017 09:13:06 GMT https://community.cisco.com/t5/network-access-control/certificate-private-key-validation-failed/m-p/3558261#M520131 ognyan.totev 2017-11-07T09:13:06Z https://community.cisco.com/t5/network-access-control/certificate-private-key-validation-failed/m-p/3558262#M520132 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thanks for the response.</P><P></P><P>We have managed to solve the issue with wildcard certificate signed by CSR generated from ISE. We also understand that the customer is currently having a wildcard certificate in their internal CA hence we need the wildcard certificate for the ISE portals and functionalities which is not working since the Windows clients rejects certificate <SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;">with * in the CN name. In this case if we uncheck the <SPAN lang="EN-GB" style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;">Validate Server Certificate the redirection but still it is not working. <BR /></SPAN></SPAN></P><P><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;"><SPAN lang="EN-GB" style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;"><BR /></SPAN></SPAN></P><P><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;"><SPAN lang="EN-GB" style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;"></SPAN></SPAN>Kindly clarify if we can use self signed certificate to achieve the ISE AAA, BYOD and posture capabilities.</P></BODY></HTML> Fri, 10 Nov 2017 09:27:48 GMT https://community.cisco.com/t5/network-access-control/certificate-private-key-validation-failed/m-p/3558262#M520132 ymadheka 2017-11-10T09:27:48Z https://community.cisco.com/t5/network-access-control/certificate-private-key-validation-failed/m-p/3558263#M520133 <HTML><HEAD></HEAD><BODY><P>Hi again yes you can use self signed certificate for different portals.Just go in certificate authority system certificates choose self-sign certificate&nbsp; and edit it to use for portals .</P></BODY></HTML> Fri, 10 Nov 2017 09:33:42 GMT https://community.cisco.com/t5/network-access-control/certificate-private-key-validation-failed/m-p/3558263#M520133 ognyan.totev 2017-11-10T09:33:42Z https://community.cisco.com/t5/network-access-control/certificate-private-key-validation-failed/m-p/3558264#M520134 <HTML><HEAD></HEAD><BODY><P>Self signed cents in testing will fail for some clients! For example Apple iOS byod onboarding in latest builds has been secured by Apple and will present awful onboarding experience for the user as they will have to manually trust certificate after going through byod flow and have to go through it again</P><P></P><P>Guest redirects may fail in latest browsers as vendors are cracking down on bad certificate and best practice</P><P></P><P>Do not deploy self signed certs in production</P><P></P><P>Please see admin guide recommendation of using well known certificate with wildcard in the SAN for a good solution</P><P></P><P>https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_0110.html?bookSearch=true#concept_8ECCCAF1252E40DDB9A786C0AC7BC3B2</P></BODY></HTML> Fri, 10 Nov 2017 12:29:20 GMT https://community.cisco.com/t5/network-access-control/certificate-private-key-validation-failed/m-p/3558264#M520134 Jason Kunst 2017-11-10T12:29:20Z https://community.cisco.com/t5/network-access-control/certificate-private-key-validation-failed/m-p/3558265#M520135 <HTML><HEAD></HEAD><BODY><P>Hi Jason,</P><P></P><P>Thanks for the clarification and suggestion.</P><P></P><P>We will work on the same and let you know in case of any further queries.</P><P></P><P></P><P>Best Regards,</P><P>Yogesh Madhekar</P></BODY></HTML> Tue, 14 Nov 2017 06:32:47 GMT https://community.cisco.com/t5/network-access-control/certificate-private-key-validation-failed/m-p/3558265#M520135 ymadheka 2017-11-14T06:32:47Z https://community.cisco.com/t5/network-access-control/certificate-private-key-validation-failed/m-p/3558266#M520136 <HTML><HEAD></HEAD><BODY><P>There is a document for guest wired access ,what kind of acl you use,</P><P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/113362-config-web-auth-ise-00.html" title="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/113362-config-web-auth-ise-00.html">Central Web Authentication with a Switch and Identity Services Engine Configuration Example - Cisco</A></P><P></P><P>Also you can check <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/compatibility/ise_sdt.html" title="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/compatibility/ise_sdt.html">Cisco Identity Services Engine Network Component Compatibility, Release 2.3 - Cisco</A></P></BODY></HTML> Wed, 15 Nov 2017 08:40:21 GMT https://community.cisco.com/t5/network-access-control/certificate-private-key-validation-failed/m-p/3558266#M520136 ognyan.totev 2017-11-15T08:40:21Z https://community.cisco.com/t5/network-access-control/certificate-private-key-validation-failed/m-p/3558267#M520137 <HTML><HEAD></HEAD><BODY><P>We are using self signed certificate but the issue is that the redirection is not working, getting the error screenshot as mentioned above with error as stated here:</P><P></P><P>After diagnosing the issue, it has been found that the Radius Authentication is failing on the Cisco Attribute Value (Cisco AVpair) "coa-skip-logical-profile="</P><P></P><P>Has anyone got any idea into this error?</P></BODY></HTML> Thu, 16 Nov 2017 04:29:03 GMT https://community.cisco.com/t5/network-access-control/certificate-private-key-validation-failed/m-p/3558267#M520137 ymadheka 2017-11-16T04:29:03Z https://community.cisco.com/t5/network-access-control/certificate-private-key-validation-failed/m-p/3558268#M520138 <HTML><HEAD></HEAD><BODY><P>call the tac to debug switching issues </P></BODY></HTML> Thu, 16 Nov 2017 12:02:09 GMT https://community.cisco.com/t5/network-access-control/certificate-private-key-validation-failed/m-p/3558268#M520138 Jason Kunst 2017-11-16T12:02:09Z https://community.cisco.com/t5/network-access-control/certificate-private-key-validation-failed/m-p/3558269#M520139 <HTML><HEAD></HEAD><BODY><P>Known bugs:</P><P>CSCvg70582 (ISE bug)</P><P>CSCsx97093 (Switch bug)</P></BODY></HTML> Thu, 16 Nov 2017 19:08:58 GMT https://community.cisco.com/t5/network-access-control/certificate-private-key-validation-failed/m-p/3558269#M520139 hslai 2017-11-16T19:08:58Z https://community.cisco.com/t5/network-access-control/certificate-private-key-validation-failed/m-p/4031743#M520140 <P>I had the same problem today, 2/17/2020.</P><P>The problem is the format of the certificates.</P><P>The Certificate must be in .PEM or .DER format.</P><P>The Private Key must be in .KEY format.</P><P>Obeying these requirements, and using the correct password, the procedure works.</P><P>Here I imported DigiCert's Root, but I don't know if this step is really necessary, in any case it doesn't hurt.</P> Tue, 18 Feb 2020 18:31:43 GMT https://community.cisco.com/t5/network-access-control/certificate-private-key-validation-failed/m-p/4031743#M520140 Douglas Koja 2020-02-18T18:31:43Z