topic Re: Generating CSR Error on ISE for System Certificate used for EAP Au in Network Access Control

Generating CSR Error on ISE for System Certificate used for EAP Authentication

colossus1611 — Wed, 15 Apr 2020 03:17:17 GMT

Hi All,

Quite new to the whole experience of ISE and Certificate based authentication on it.

I am trying to generate a CSR for a System EAP authentication certificate that expires on 7th May for us. While trying to generate CSR however, I get below error message and the CSR does not get generated. How can I get beyond this? I am not sure if I should change any of the details from existing certificate.

Thank you.

Re: Generating CSR Error on ISE for System Certificate used for EAP Authentication

Francesco Molino — Wed, 15 Apr 2020 03:45:24 GMT

Hi
The csr your generating must'nt have same values in all fields as the on existing today already in use. Have you validated that you're filling in the same values on all fields?

Edit:typo error

Re: Generating CSR Error on ISE for System Certificate used for EAP Authentication

Greg Gibbs — Wed, 15 Apr 2020 03:42:08 GMT

ISE will not allow creating a CSR or binding a certificate that has the same Subject as another certificate. A common approach is to modify one of the certificate fields so that there is no matching Subject value.

I typically use the OU field in the certificate to indicate the Usage (Admin, EAP, etc) of the certificate to avoid duplicate Subject value issues. When renewing a certificate, I often just modify the same OU field slightly (like adding the Month/Year) to produce a unique Subject value.

I haven't seen anyone using the OU attribute as a matching condition in policies, so it is often easy to change.

Re: Generating CSR Error on ISE for System Certificate used for EAP Authentication

colossus1611 — Wed, 15 Apr 2020 04:30:04 GMT

Thank you for the inputs. So I can add to OU field and make it different and ensure it isn't use in any policy matching, and it should be fine.

Brings me to another important issue I am facing with CSR though - I am doing it for two nodes at the same time - how do I fill up the CN field under Subject in that case?

Thanks.

Re: Generating CSR Error on ISE for System Certificate used for EAP Authentication

Greg Gibbs — Wed, 15 Apr 2020 04:38:57 GMT

There are two typical approaches... wildcard certificates or Subject Alternative Name (SAN).

Some clients might not support wildcard certs for EAP authentication so, when I've had a similar customer wanting to use a single EAP cert for multiple PSNs, I've used the SAN option.

You would create the CSR (on PSN1) such that the CN = PSN1 FQDN and the SAN field has both the PSN1 and PSN2 FQDNs (in that order).

You would then bind the cert to the CSR on PSN1, export the certificate with the key, then import the cert into PSN2.

Re: Generating CSR Error on ISE for System Certificate used for EAP Authentication

Francesco Molino — Wed, 15 Apr 2020 04:41:43 GMT

Not sure i get your question correctly for cn.
By default, it's filled in with the keyword fqdn and ise will use the fqdn of each server automatically for each csr you generate (1 at a time).

If you want to have only 1 cert, you can do 1 csr, export it with its private key and import it on all other nodes.

Re: Generating CSR Error on ISE for System Certificate used for EAP Authentication

colossus1611 — Wed, 15 Apr 2020 05:10:42 GMT

Thanks again.

So sounds like there is two ways, although I find it much simpler if I let it use the FQDN under CN field, if it works. Currently CN field has by default $FQDN$ so that should work so long as I update one of the other fields, say OU to differentiate the certs from the existing ones and then it should all fall in place.

So I would generate CSR with those two fields as below for eg.:

Re: Generating CSR Error on ISE for System Certificate used for EAP Authentication

Francesco Molino — Wed, 15 Apr 2020 22:45:53 GMT

Yes. If you want to have 1 certificate for both, you can add dns names into SAN. Also you can change the fqdn variable by something like eap.company.com to have something common. /however, you can move with 2 certificates as you said,

Re: Generating CSR Error on ISE for System Certificate used for EAP Authentication

colossus1611 — Wed, 22 Apr 2020 01:54:15 GMT

One final query on this one guys - How can I restore previous certificate, if for any reason the new certificate does not work? Would it just be a matter of ticking/unticking the EAP authentication check box on the certificates? I note that currently I am not able to untick the EAP authentication option on the ceritificate in use. Also, should I be exporting the existing certificate with its private key as backup before changing over to new certificate? It might all turn out to be pretty straightforward, but I haven't been across such a change before, so trying to ensure all backup measures are in place. This one being EAP authentication certifciate, would affect all wired users authentication.

Thanks.

Re: Generating CSR Error on ISE for System Certificate used for EAP Authentication

Greg Gibbs — Wed, 22 Apr 2020 02:42:11 GMT

ISE requires that the EAP function (usage) is assigned to a certificate (and only one) so you cannot simply remove EAP from the existing certificate. You would have to install a new certificate with the EAP usage and ISE will move the EAP usage from the old to the new cert.

As long as the new certificate has a different Subject than the old cert, the old cert should remain on ISE until you delete it. In that case, if the new cert does not work, you should be able to move the EAP usage back to the old cert.

Best practice, however, is to export all identity certificates with their keys and copy them to a safe location that has strong security controls. That way, you can simply re-import them in the event of an unrecoverable node failure and not have to create new CSRs, trust chains, etc.

Re: Generating CSR Error on ISE for System Certificate used for EAP Au

jewfcb001 — Thu, 05 Oct 2023 04:34:46 GMT

@Greg Gibbs
Hi Greg
How to renew certificate with the same CN,OU,O,....?

Re: Generating CSR Error on ISE for System Certificate used for EAP Au

Greg Gibbs — Thu, 05 Oct 2023 22:49:25 GMT

If you install a certificate with the same Subject as an existing certificate, ISE will throw a warning and the existing certificate will be deleted and replaced with the new one. If you run into issues with the new certificate, you will need to re-import the old certificate with the private key, which will again replace the new one.

Re: Generating CSR Error on ISE for System Certificate used for EAP Au

jewfcb001 — Fri, 06 Oct 2023 01:34:26 GMT

@Greg Gibbs
You mean .
1. Delete the exsiting certificate and change role (Admin / EAP Authen / Portal) to new Cert
2. CSR with same attribute and sign then install to ISE change role to (Admin/EAP Authen/Portal)
Am I correct?

Re: Generating CSR Error on ISE for System Certificate used for EAP Au

Greg Gibbs — Fri, 06 Oct 2023 04:49:39 GMT

You can do it that way, but it will cause a restart of the ISE services every time you move the Admin role to another certificate.

You can create a CSR with the same subject. ISE will throw a warning, but the old certificate won't be deleted until the new signed certificate is bound to the CSR.

My preference, however, is to make a minor change in the subject (like the OU) so you can install the new certificate without warning or replacement. You can then move the relevant role(s) to the new certificate. If there is any issue with the new certificate, you can easily move the role(s) back to the old certificate without having to re-import it with the private key (which would then delete the new certificate)