https://community.cisco.com/t5/network-access-control/ise-1-4-eap-certificate-renewal-issue/m-p/4101605#M561142 <P>Hi,</P><P>&nbsp;</P><P>I have a four node ISE cluster that one of the EAP certificates has expired.&nbsp; A new certificate has ben issued with the same subject as the exiting one.&nbsp; I am prompted that I can only have two certificates with the same subject when I am replacing one with the same role (I am).&nbsp; I get an Okay prompt but it won't let me continue and I can't remove the expired certificate because it reports "The EAP certificate cannot be deleted".</P><P>I did try to replace this before it expired but was running into the same issues.</P><P>How do I de-link this certificate for me to be able to replace it?</P><P>&nbsp;</P><P>I have a 2.6 cluster that is currently being configured but would like to get this one ack up a running to give me more breathing space.</P><P>&nbsp;</P><P>Regards</P><P>Gavin</P> Thu, 11 Jun 2020 14:50:52 GMT GLiquorish 2020-06-11T14:50:52Z https://community.cisco.com/t5/network-access-control/ise-1-4-eap-certificate-renewal-issue/m-p/4101605#M561142 <P>Hi,</P><P>&nbsp;</P><P>I have a four node ISE cluster that one of the EAP certificates has expired.&nbsp; A new certificate has ben issued with the same subject as the exiting one.&nbsp; I am prompted that I can only have two certificates with the same subject when I am replacing one with the same role (I am).&nbsp; I get an Okay prompt but it won't let me continue and I can't remove the expired certificate because it reports "The EAP certificate cannot be deleted".</P><P>I did try to replace this before it expired but was running into the same issues.</P><P>How do I de-link this certificate for me to be able to replace it?</P><P>&nbsp;</P><P>I have a 2.6 cluster that is currently being configured but would like to get this one ack up a running to give me more breathing space.</P><P>&nbsp;</P><P>Regards</P><P>Gavin</P> Thu, 11 Jun 2020 14:50:52 GMT https://community.cisco.com/t5/network-access-control/ise-1-4-eap-certificate-renewal-issue/m-p/4101605#M561142 GLiquorish 2020-06-11T14:50:52Z https://community.cisco.com/t5/network-access-control/ise-1-4-eap-certificate-renewal-issue/m-p/4101646#M561146 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/616304">@GLiquorish</a>&nbsp;,</P> <P>You have two choices here:</P> <OL> <LI>You click on 'Edit' on another certificate on that node and choose EAP service. That way you can move the EAP service from the current certificate and then delete the expired EAP certificate. Next, add your new certificate and select EAP again. You should now have EAP on the new and shiny certificate.</LI> <LI>You create a new CSR, just like the expired EAP certificate, except for a minor change like OU, City, etc. Then you get it signed and bind it the with the CSR. It shouldn't give any warnings.</LI> </OL> Thu, 11 Jun 2020 15:59:20 GMT https://community.cisco.com/t5/network-access-control/ise-1-4-eap-certificate-renewal-issue/m-p/4101646#M561146 Anurag Sharma 2020-06-11T15:59:20Z https://community.cisco.com/t5/network-access-control/ise-1-4-eap-certificate-renewal-issue/m-p/4104922#M561275 <P>Hi</P><P>Thanks for the response.&nbsp;</P><P>I have managed to delete the old certificate but binding the new certificate to the CSR generates an "<FONT face="courier new,courier" size="3">Internal error. Ask your system administrator to check the logs for more details</FONT>" message.</P><P>&nbsp;</P><P>The debug logs are showing the following two messages:</P><P><FONT face="courier new,courier" size="2">2020-06-17 14:01:26,573 ERROR [admin-http-pool132][] infrastructure.certmgmt.service.impl.LocalCertificateServiceImpl -:::::- Unexpected exception: com.cisco.cpm.infrastructure.certmgmt.api.CertMgmtException: Error occurred while deleting certificate from NSS DB: java.security.KeyStoreException: This PKCS11KeyStore does not support write capabilities</FONT></P><P>&nbsp;</P><P><FONT face="courier new,courier" size="2">com.cisco.cpm.infrastructure.certmgmt.api.CertMgmtException: Error occurred while deleting certificate from NSS DB: java.security.KeyStoreException: This PKCS11KeyStore does not support write capabilities</FONT></P><P>&nbsp;</P><P>Is it worth rebooting this server and if so, what is the cleanest way to do this?</P><P>&nbsp;</P><P>Regards</P><P>Gavin</P> Wed, 17 Jun 2020 14:16:09 GMT https://community.cisco.com/t5/network-access-control/ise-1-4-eap-certificate-renewal-issue/m-p/4104922#M561275 GLiquorish 2020-06-17T14:16:09Z