https://community.cisco.com/t5/network-access-control/invalid-password-for-private-key-when-trying-to-bind-ca-signed/m-p/5085911#M589181 <P>Thanks for the reply Rob.&nbsp; Unfortunately, when I follow the steps in the article you sent, I still get the same error message.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITDept5418883_0-1714565346175.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/217287i6E22E98A3BD700A1/image-size/medium?v=v2&amp;px=400" role="button" title="ITDept5418883_0-1714565346175.png" alt="ITDept5418883_0-1714565346175.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 01 May 2024 12:09:27 GMT ITDept5418883 2024-05-01T12:09:27Z https://community.cisco.com/t5/network-access-control/invalid-password-for-private-key-when-trying-to-bind-ca-signed/m-p/5084737#M589165 <P>Hello,</P><P>I created a csr for an expired EAP Authentication cert on my ISE box and received a new cert from my local CA server.&nbsp; When I try to gind the new cert to the csr I created, I receive a "<SPAN>Certificate/Private Key validation failed" message.&nbsp; Problem is, the system never asked for a password when the csr was created.&nbsp; So how do find the password or generate one?</SPAN>&nbsp;</P> Tue, 30 Apr 2024 18:38:47 GMT https://community.cisco.com/t5/network-access-control/invalid-password-for-private-key-when-trying-to-bind-ca-signed/m-p/5084737#M589165 ITDept5418883 2024-04-30T18:38:47Z https://community.cisco.com/t5/network-access-control/invalid-password-for-private-key-when-trying-to-bind-ca-signed/m-p/5084744#M589166 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/900572">@ITDept5418883</a> are you attempting to import the certificate?</P> <P>If you generated the CSR on the ISE node and this has been signed by the CA, you navigate<SPAN> to <STRONG>Administration&nbsp;&gt;&nbsp;System&nbsp;&gt; </STRONG><STRONG>Certificates </STRONG><STRONG>&gt; </STRONG><STRONG>Certificate Signing Requests</STRONG></SPAN>, then tick the checkbox on CSR and<SPAN>&nbsp;click&nbsp;</SPAN><STRONG>Bind Certificate</STRONG></P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217191-configuration-guide-to-certificate-renew.html#toc-hId--1724576993" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217191-configuration-guide-to-certificate-renew.html#toc-hId--1724576993</A></P> <P>&nbsp;</P> Tue, 30 Apr 2024 18:44:15 GMT https://community.cisco.com/t5/network-access-control/invalid-password-for-private-key-when-trying-to-bind-ca-signed/m-p/5084744#M589166 Rob Ingram 2024-04-30T18:44:15Z https://community.cisco.com/t5/network-access-control/invalid-password-for-private-key-when-trying-to-bind-ca-signed/m-p/5085911#M589181 <P>Thanks for the reply Rob.&nbsp; Unfortunately, when I follow the steps in the article you sent, I still get the same error message.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITDept5418883_0-1714565346175.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/217287i6E22E98A3BD700A1/image-size/medium?v=v2&amp;px=400" role="button" title="ITDept5418883_0-1714565346175.png" alt="ITDept5418883_0-1714565346175.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 01 May 2024 12:09:27 GMT https://community.cisco.com/t5/network-access-control/invalid-password-for-private-key-when-trying-to-bind-ca-signed/m-p/5085911#M589181 ITDept5418883 2024-05-01T12:09:27Z https://community.cisco.com/t5/network-access-control/invalid-password-for-private-key-when-trying-to-bind-ca-signed/m-p/5085928#M589182 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/900572">@ITDept5418883</a> was the signed identity certificate issued from the CSR you created on ISE?</P> <P>I suggest recreating a new CSR from ISE GUI and get that signed by the CA and try again.</P> Wed, 01 May 2024 12:17:51 GMT https://community.cisco.com/t5/network-access-control/invalid-password-for-private-key-when-trying-to-bind-ca-signed/m-p/5085928#M589182 Rob Ingram 2024-05-01T12:17:51Z https://community.cisco.com/t5/network-access-control/invalid-password-for-private-key-when-trying-to-bind-ca-signed/m-p/5086069#M589185 <P>Rob,</P><P>We have a local AD integrated CA server that issues certs automatically to all workstations for authentication purposes on the ISE. We also use this CA server for the EAP Auth cert for ISE. I have created a CSR on ISE twice before, received a cert from the server and successfully imported into ISE.&nbsp; I don't remember having this password issue previously and I would assume I would be prompted to create a password at some point which I'm not.</P><P>Sam is my name btw, sorry for the anonymous user name.</P><P>&nbsp;</P> Wed, 01 May 2024 13:57:58 GMT https://community.cisco.com/t5/network-access-control/invalid-password-for-private-key-when-trying-to-bind-ca-signed/m-p/5086069#M589185 ITDept5418883 2024-05-01T13:57:58Z https://community.cisco.com/t5/network-access-control/invalid-password-for-private-key-when-trying-to-bind-ca-signed/m-p/5086084#M589186 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/900572">@ITDept5418883</a> Sam, if the CSR is generated on ISE the private key is stored locally. So as long the internal CA signs that CSR and you import the signed certificate it should work.</P> <P>Have you attempted to generate a new CSR, get this signed and attempt to bind?</P> <P>I have checked previous posts for the same error message and in this <A href="https://community.cisco.com/t5/network-access-control/binding-certificate-private-key-validtion-failed/td-p/4855061" target="_self">post</A> the issue was traced back to the signed certificate.</P> Wed, 01 May 2024 14:15:43 GMT https://community.cisco.com/t5/network-access-control/invalid-password-for-private-key-when-trying-to-bind-ca-signed/m-p/5086084#M589186 Rob Ingram 2024-05-01T14:15:43Z