https://community.cisco.com/t5/network-access-control/ise-2-4-stuck-quot-default-portal-cetificate-group-quot-certs/m-p/4041123#M558619 <P>Okay, looks like it's really stuck in a weird way. It let me assign the self-signed cert to the Portal, but it only took the role away from "portal-ssl-1", leaving "portal-ssl-2" and the self-signed cert assigned to Default Portal duty.</P><P>&nbsp;</P><P>I'll either call TAC or simply reinstall the node. (Probably the latter, since I'm now wary of what else may be messed up on it, and it's currently in a backup role anyway.)</P><P>&nbsp;</P><P>Thank you for the help, Greg.</P> Thu, 05 Mar 2020 17:53:56 GMT joe_lizzi 2020-03-05T17:53:56Z https://community.cisco.com/t5/network-access-control/ise-2-4-stuck-quot-default-portal-cetificate-group-quot-certs/m-p/4040462#M558583 <P>I have an interesting issue on one of my ISE 2.4 (Patch 11) nodes. It has somehow managed to get two separate certs assigned to the "Default Portal Certificate Group". For example:</P><P>&nbsp;</P><P>&nbsp; Name: portal-ssl-1.ise&nbsp;&nbsp;&nbsp; Use: Portal&nbsp;&nbsp;&nbsp; Portal group tag: Default Portal Certificate Group</P><P>&nbsp; Name: portal-ssl-2.ise&nbsp;&nbsp;&nbsp; Use: Portal&nbsp;&nbsp;&nbsp; Portal group tag: Default Portal Certificate Group</P><P>&nbsp;</P><P>(Note: portal-ssl-2 was imported as a replacement for portal-ssl-1, but instead of switching the tag to the newer cert, it instead seems to have duplicated it.) It won't let me delete either one of them, complaining that they're in use by existing portals. It won't let me edit either one to use a different group tag. I don't have this issue on any of the other nodes in the cluster, all of which had their certs updated.</P><P>&nbsp;</P><P>Is there a way to resolve this, perhaps via CLI?</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 04 Mar 2020 21:01:14 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-stuck-quot-default-portal-cetificate-group-quot-certs/m-p/4040462#M558583 joe_lizzi 2020-03-04T21:01:14Z https://community.cisco.com/t5/network-access-control/ise-2-4-stuck-quot-default-portal-cetificate-group-quot-certs/m-p/4040494#M558585 <P>You might try the following:</P> <OL> <LI>Export the 'portal-ssl-2' certificate and key to back them up</LI> <LI>Create a new self-signed certificate and bind it to the Default Portal Certificate Group</LI> <LI>Delete both the 'portal-ssl-1' and 'portal-ssl-2' certificates</LI> <LI>Import the 'portal-ssl-2' certificate and key and bind it to the Default Portal Certificate Group</LI> <LI>Delete the self-signed certificate</LI> </OL> <P>If that still fails, you will need to open a TAC case. Fixing these types of certificate binding issues typically requires TAC using the root patch to delete the certificate bindings directly from the database.</P> <P>&nbsp;</P> Wed, 04 Mar 2020 21:55:02 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-stuck-quot-default-portal-cetificate-group-quot-certs/m-p/4040494#M558585 Greg Gibbs 2020-03-04T21:55:02Z https://community.cisco.com/t5/network-access-control/ise-2-4-stuck-quot-default-portal-cetificate-group-quot-certs/m-p/4041123#M558619 <P>Okay, looks like it's really stuck in a weird way. It let me assign the self-signed cert to the Portal, but it only took the role away from "portal-ssl-1", leaving "portal-ssl-2" and the self-signed cert assigned to Default Portal duty.</P><P>&nbsp;</P><P>I'll either call TAC or simply reinstall the node. (Probably the latter, since I'm now wary of what else may be messed up on it, and it's currently in a backup role anyway.)</P><P>&nbsp;</P><P>Thank you for the help, Greg.</P> Thu, 05 Mar 2020 17:53:56 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-stuck-quot-default-portal-cetificate-group-quot-certs/m-p/4041123#M558619 joe_lizzi 2020-03-05T17:53:56Z