Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1322
Views
5
Helpful
8
Replies

CSCus84706 Error when attempting to renew node system cert

Go to solution
gschmitt.ngit
Level 1
Level 1

‎12-10-2018 05:51 PM

Hi,

I'm running version 2.2 patch 9 and I'm hitting an error when I attempt to renew the system cert. The cert is a 3rd party signed wildcard. The current one expires on 12/22/18, and the new one I have was valid as of 10/22/18. The bug causes ISE to throw an error stating that there is already a cert with the same subject name but a different serial number.

The bug report says that it has been 'fixed' but does not list a working version.

The work around is to remove the old cert and then import the new one. This is not really and option when it is the admin, eap, and portal cert.

Has anyone figured out how to get past this issue?

Thanks,

Greg

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-11-2018 01:22 AM

The fix for the bug mentioned above is not to allow two certificates with the same subject name instead replace the old cert with the new cert. This is why you see it marked as fixed.

What you can do as @Damien Miller mentioned, you can change any filed in the subject  (CN,OU,C,O,L,ST) by as small as a single letter and get a certificate. This would mean that you would have a certificate with a different subject name and you should be able to install the certificate without any problem.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎12-10-2018 05:55 PM

Did you check with the TAC?
0 Helpful

Go to solution
gschmitt.ngit
Level 1
Level 1
In response to Jason Kunst

‎12-10-2018 05:58 PM

Not yet Jason. Was hoping someone had gotten an answer already.
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to gschmitt.ngit

‎12-10-2018 06:08 PM

This is critical time limit would work through them ASAP
0 Helpful

Go to solution
gschmitt.ngit
Level 1
Level 1
In response to Jason Kunst

‎12-10-2018 06:12 PM

Yeah. If no one replies tonight I'll be opening a TAC case in the morning.
0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to gschmitt.ngit

‎12-10-2018 06:21 PM

You can try to get the cert re-issued with a different Subject Common Name.  The Subject Common Name is pretty much pointless these days.  web sites don't use it if the SAN has a DNS entry that matches the FQDN.  And for EAP it's not used.

Might be an option.

0 Helpful

Go to solution
gschmitt.ngit
Level 1
Level 1
In response to Arne Bier

‎12-10-2018 06:29 PM

That may end up being our solution if the bug, in fact, has not been 'fixed'
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Arne Bier

‎12-10-2018 06:50 PM

I've also found that you can just change a single character in the subject fields. It seems ise doesn't care if the CN is the same. 

 

Change any part of organization, location, state, or country.

 

 

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-11-2018 01:22 AM

The fix for the bug mentioned above is not to allow two certificates with the same subject name instead replace the old cert with the new cert. This is why you see it marked as fixed.

What you can do as @Damien Miller mentioned, you can change any filed in the subject  (CN,OU,C,O,L,ST) by as small as a single letter and get a certificate. This would mean that you would have a certificate with a different subject name and you should be able to install the certificate without any problem.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents