topic The Portal tag is already assigned to the following certificate(s) in Network Access Control

The Portal tag is already assigned to the following certificate(s)

Anthony O'Reilly — Thu, 10 Feb 2022 18:25:30 GMT

Hi,

I have Cisco ISE version 3.0 Patch 2.

The portal certificate is expiring in about 5 week time.

I need to Generate a CSR to replace this certificate with a newer one. I have added in all the info except that the friendly name has 2022 in it and the old cert does not.

When I check Submit, I get the following warning:

The Portal tag is already assigned to the following certificate(s). If you proceed, it will be removed from the existing certificates, and affected portals will be restarted. Do you want to proceed?

2022_Cert_Portal_ISE_01

I don't want to click "Yes" in case I cause an outage.

Any ideas?

Thanks

Anthony.

Re: The Portal tag is already assigned to the following certificate(s)

Greg Gibbs — Thu, 10 Feb 2022 22:08:39 GMT

The Portal Tag is not really part of the CSR or the certificate itself. It's just an internal mapping in ISE.

You can create the CSR with a new dummy Portal Tag to get the signed cert from your CA. Once you have the signed certificate, you can either:

Specify the real Portal Tag when binding the certificate to the CSR, at which point the affected portals will be restarted
Bind the certificate to the CSR using the dummy Portal Tag and edit the cert at a later date to move it to the real Portal Tag (at which point the affected portals will be restarted)

You should note that the portal restart happens very quickly and may not even be noticeable to end users. It is not the same as the ISE services restarting.

Re: The Portal tag is already assigned to the following certificate(s)

Aref Alsouqi — Fri, 11 Feb 2022 09:15:25 GMT

In case we click yes, would the existing portal remain with no certificate associated until the renewed one is bound?

Re: The Portal tag is already assigned to the following certificate(s)

Anthony O'Reilly — Fri, 11 Feb 2022 09:21:04 GMT

Hi Greg,

Thanks for your quick response.

What I take from this is:

1. Generate a CSR, fill out all the fields I require but do not ticket the Portal option

2. When cert is returned from the CA, import it to ISE

3. Edit the imported cert and tick the Portal option. The service will restart but it may not be service affecting as this is instantaneous.

4. Delete old cert a few days later.

Do this step for both ISE appliances. We only have two ISE appliances and both certs are expiring on the same day.

Thanks

Anthony.

Re: The Portal tag is already assigned to the following certificate(s)

Greg Gibbs — Sun, 13 Feb 2022 22:35:50 GMT

It didn't make sense that ISE would pull the cert off since it only supports HTTPS, so I tested it in my lab. As I suspected, the CSR creation itself does not pull the cert from the portals or restart the portal. It only moves the cert and restarts the portals using the same Tag when the certificate is bound to the CSR.

Re: The Portal tag is already assigned to the following certificate(s)

Aref Alsouqi — Sun, 13 Feb 2022 23:18:53 GMT

That's why I was wondering! Thanks for spending the time to lab this up and confirm.

Re: The Portal tag is already assigned to the following certificate(s)

Anthony O'Reilly — Mon, 14 Feb 2022 09:26:59 GMT

Hi Greg,

Am I right in my thinking here?

Re: The Portal tag is already assigned to the following certificate(s)

Greg Gibbs — Mon, 14 Feb 2022 21:07:13 GMT

@Anthony O'Reilly,

Creating a CSR requires the selection of a Usage. If you select the 'Multi-Use' Usage for the CSR, the procedure you describe will work. You would select the Portal usage and Tag at the time binding the signed cert to the CSR.

Alternatively, you could select Portal Usage and correct Portal Tag at the time of creating the CSR and ignore the warning (as it only applies at the time of binding the cert to the CSR, as I described in the previous post).