https://community.cisco.com/t5/network-access-control/ise-internal-cert-generation-failed-something-went-wrong-with/m-p/4170754#M563441 <P>Hi</P> <P>&nbsp;</P> <P>Thanks I already tried that.</P> <P>&nbsp;</P> <P>The CSR was created on an ISE node.</P> <P>I was creating two CSRs for the EAP roles on the two PSNs. And the idea was to have the EAP cert signed by the ISE Internal CA, so that I can hand out the ISE Internal Root CA cert to clients. No matter which PSN is used, the client will trust both. This customer has no PKI, therefore it seemed that the ISE CA was ideal.</P> <P>The first CSR was accepted by the pxGrid certificate generator and it produced a cert that I was able to bind to ISE01. But it's ISE02 that I am having issues with. I created another CSR just for ISE02 but each time I get this .zip error, and the cert is created (but I cannot access it) - all the fields look correct when I view the cert details.</P> <P>The weird thing is that the cert is always generated correctly and I can see it in the issued Certificates list. It seems like a bug in the packaging of the .zip file.&nbsp; I have never seen such an error and I have created a lot of certs on the internal ISE CA.</P> <P>I have also stopped and rebooted both nodes - made no difference - still same .zip error.</P> <P>&nbsp;</P> Wed, 21 Oct 2020 06:43:56 GMT Arne Bier 2020-10-21T06:43:56Z https://community.cisco.com/t5/network-access-control/ise-internal-cert-generation-failed-something-went-wrong-with/m-p/4170196#M563424 <P>Hello</P> <P>&nbsp;</P> <P>On a two node ISE 2.7 patch 2 system I saw a strange error while generating a cert in the pxGrid Services screen.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="pxGrid cert zip issie.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/86499i80327F37EA88C2B2/image-size/large?v=v2&amp;px=999" role="button" title="pxGrid cert zip issie.PNG" alt="pxGrid cert zip issie.PNG" /></span></P> <P>&nbsp;</P> <P>The certificate was in fact generated! - but due to the error message I was unable to download the cert. I don't know any other way to get access to that cert (I can see the cert under the Internal CA Issued Certs)&nbsp;</P> <P>&nbsp;</P> <P>Short of restarting the ISE node, I don't know what else to try? Anyone seen this before?</P> Tue, 20 Oct 2020 11:24:34 GMT https://community.cisco.com/t5/network-access-control/ise-internal-cert-generation-failed-something-went-wrong-with/m-p/4170196#M563424 Arne Bier 2020-10-20T11:24:34Z https://community.cisco.com/t5/network-access-control/ise-internal-cert-generation-failed-something-went-wrong-with/m-p/4170672#M563427 <P>Hello Arne,</P> <P>&nbsp;</P> <P>If certificate for PxGrid client was generated with CSR in PKCS8 format. If SAN field is configured either in CSR or while generating certificate. If not then try by adding SAN field and check if that resolves the issue.</P> Wed, 21 Oct 2020 04:39:13 GMT https://community.cisco.com/t5/network-access-control/ise-internal-cert-generation-failed-something-went-wrong-with/m-p/4170672#M563427 poongarg 2020-10-21T04:39:13Z https://community.cisco.com/t5/network-access-control/ise-internal-cert-generation-failed-something-went-wrong-with/m-p/4170751#M563439 <P>hi Arne</P><P>hopefully u have already resolved this issue, but isnt there "Export certicficate" element in "Internal CA issued"?</P> Wed, 21 Oct 2020 06:39:40 GMT https://community.cisco.com/t5/network-access-control/ise-internal-cert-generation-failed-something-went-wrong-with/m-p/4170751#M563439 Andrii Oliinyk 2020-10-21T06:39:40Z https://community.cisco.com/t5/network-access-control/ise-internal-cert-generation-failed-something-went-wrong-with/m-p/4170754#M563441 <P>Hi</P> <P>&nbsp;</P> <P>Thanks I already tried that.</P> <P>&nbsp;</P> <P>The CSR was created on an ISE node.</P> <P>I was creating two CSRs for the EAP roles on the two PSNs. And the idea was to have the EAP cert signed by the ISE Internal CA, so that I can hand out the ISE Internal Root CA cert to clients. No matter which PSN is used, the client will trust both. This customer has no PKI, therefore it seemed that the ISE CA was ideal.</P> <P>The first CSR was accepted by the pxGrid certificate generator and it produced a cert that I was able to bind to ISE01. But it's ISE02 that I am having issues with. I created another CSR just for ISE02 but each time I get this .zip error, and the cert is created (but I cannot access it) - all the fields look correct when I view the cert details.</P> <P>The weird thing is that the cert is always generated correctly and I can see it in the issued Certificates list. It seems like a bug in the packaging of the .zip file.&nbsp; I have never seen such an error and I have created a lot of certs on the internal ISE CA.</P> <P>I have also stopped and rebooted both nodes - made no difference - still same .zip error.</P> <P>&nbsp;</P> Wed, 21 Oct 2020 06:43:56 GMT https://community.cisco.com/t5/network-access-control/ise-internal-cert-generation-failed-something-went-wrong-with/m-p/4170754#M563441 Arne Bier 2020-10-21T06:43:56Z https://community.cisco.com/t5/network-access-control/ise-internal-cert-generation-failed-something-went-wrong-with/m-p/4170763#M563443 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/293790">@Andrii Oliinyk</a>&nbsp; - sadly not - I can view or revoke the cert. When I view, there are no further options. Not even a BASE64 format that&nbsp; I could copy and paste.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="issued.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/86574i6115607003FFE61C/image-size/large?v=v2&amp;px=999" role="button" title="issued.png" alt="issued.png" /></span></P> Wed, 21 Oct 2020 06:58:51 GMT https://community.cisco.com/t5/network-access-control/ise-internal-cert-generation-failed-something-went-wrong-with/m-p/4170763#M563443 Arne Bier 2020-10-21T06:58:51Z https://community.cisco.com/t5/network-access-control/ise-internal-cert-generation-failed-something-went-wrong-with/m-p/4172131#M563479 <P>Check if the 3-level certificate hierarchy can be traced to a single root CA on both nodes.</P> Thu, 22 Oct 2020 21:38:43 GMT https://community.cisco.com/t5/network-access-control/ise-internal-cert-generation-failed-something-went-wrong-with/m-p/4172131#M563479 Peter Koltl 2020-10-22T21:38:43Z https://community.cisco.com/t5/network-access-control/ise-internal-cert-generation-failed-something-went-wrong-with/m-p/4174711#M563543 <P>wow I hadn't thought of that - I will check - but ISE should not allow more than one Root CA to be in place.</P> Wed, 28 Oct 2020 00:35:48 GMT https://community.cisco.com/t5/network-access-control/ise-internal-cert-generation-failed-something-went-wrong-with/m-p/4174711#M563543 Arne Bier 2020-10-28T00:35:48Z https://community.cisco.com/t5/network-access-control/ise-internal-cert-generation-failed-something-went-wrong-with/m-p/4447830#M568985 <P>i have the issue , certificate chain was created correctly but the " zip " process keeps fail , and i am not unable to download it .</P><P>is there a way to do that with cli?</P> Wed, 11 Aug 2021 14:27:13 GMT https://community.cisco.com/t5/network-access-control/ise-internal-cert-generation-failed-something-went-wrong-with/m-p/4447830#M568985 eugeniodesideri 2021-08-11T14:27:13Z https://community.cisco.com/t5/network-access-control/ise-internal-cert-generation-failed-something-went-wrong-with/m-p/4448104#M568997 <P>Certificates cannot be managed via the CLI. If you're having issues generating certificates from the internal CA for supported BYOD/pxGrid use cases, you might try another browser and regenerating the CA Root Chain from the <STRONG>Generate CSR</STRONG> menu.</P> <P>If you're still having issues, I would suggest opening a TAC case.</P> Wed, 11 Aug 2021 23:08:23 GMT https://community.cisco.com/t5/network-access-control/ise-internal-cert-generation-failed-something-went-wrong-with/m-p/4448104#M568997 Greg Gibbs 2021-08-11T23:08:23Z https://community.cisco.com/t5/network-access-control/ise-internal-cert-generation-failed-something-went-wrong-with/m-p/4449397#M569040 <P>If the ISE admin server certificate is issued by ISE internal CA, then this is a known issue -- CSCvi85028</P> <P>Or, it could be due to CSCvp30790</P> Sat, 14 Aug 2021 04:44:53 GMT https://community.cisco.com/t5/network-access-control/ise-internal-cert-generation-failed-something-went-wrong-with/m-p/4449397#M569040 hslai 2021-08-14T04:44:53Z