Solved: Azure ID Error No trusted certificate found

lupingyao · ‎05-03-2023

I have tried to connect Azure and ISE(Version 3.1 patch 6) using ROPC, but I got the following Error:

Connection to ID Store failed with error: javax.net.ssl.SSLHandshakeException: No trusted certificate found and status: 400 BAD_REQUEST

I have checked the Certificate, following Certificate are already installed and using for cisco services:

DigiCert Global Root CA

DigiCert Global Root G2 CA

Microsoft Azure TLS Issuing CA 01

Microsoft Azure TLS Issuing CA 02

Microsoft Azure TLS Issuing CA 05

Microsoft Azure TLS Issuing CA 06

do I forget any Cert or config?

I am following this documentation:

Configure ISE 3.0 REST ID with Azure Active Directory - Cisco

Best Regards

Robin

Mohammed al Baqari · ‎05-03-2023

Yes, you need a signed cert like digicert

View solution in original post

Greg Gibbs · ‎05-09-2023

You don't need a certificate signed by a public CA, but I'm not sure if Azure will accept a self-signed certificate. I have ROPC working in my lab with ISE using an Admin certificate signed by my internal ADCS.

The error you've posted references 'NotAfter: Fri Aug 05 2022' which would seem to indicate an expired certificate is being used. I would suggest checking for any expired certificates in the System and Trusted stores.

These are the Microsoft related certificates (Trusted Certificates) I have installed in my lab that is working with ROPC.

View solution in original post

Mohammed al Baqari · ‎05-03-2023

You are missing Baltimore CyberTrust Root CA cert. Here is the list of
certs used by azure. Make sure they are imported to ISE.

https://learn.microsoft.com/en-us/azure/security/fundamentals/azure-ca-details?tabs=root-and-subordinate-cas-list

**** please remember to rate useful posts

lupingyao · ‎05-03-2023

Hi Mohammed,

thanks for you answer, the Baltimore CyberTrust Root CA was also installed in the ISE as Cisco Services...

Mohammed al Baqari · ‎05-03-2023

Just make the certificate usage for admin portal as well.

lupingyao · ‎05-03-2023

you mean:

chose: Trust for certificate based admin authentication ?

lupingyao · ‎05-03-2023

this is the new ISE, just installed. so I am using the default self Cert...

Mohammed al Baqari · ‎05-03-2023

Yes, I meant this one 'admin authentication'. also, you need to use CA signed certificate to communicate with Azure. otherwise, it won't trust your ISE.

Mohammed al Baqari · ‎05-03-2023

Here is the list of certs which I used.

lupingyao · ‎05-03-2023

for me the same, that is why I dön't unterstand...

Mohammed al Baqari · ‎05-03-2023

but you have selfsigned cert. You need signed one for admin portal. That is
the one used to communicate with azure.

It won't work with self signed one

lupingyao · ‎05-03-2023

you mean, that I need a public certifcate for admin Portal? from DigiCert Global Roort G2 CA?

lupingyao · ‎05-03-2023

or can I upload my self signed Cert to Azure, let Azure trust my Cert?

Mohammed al Baqari · ‎05-03-2023

Yes, you need a signed cert like digicert

lupingyao · ‎05-09-2023

you mean, that I need a public cert?

I have tried using one private cert, I got this error:

Greg Gibbs · ‎05-09-2023

You don't need a certificate signed by a public CA, but I'm not sure if Azure will accept a self-signed certificate. I have ROPC working in my lab with ISE using an Admin certificate signed by my internal ADCS.

The error you've posted references 'NotAfter: Fri Aug 05 2022' which would seem to indicate an expired certificate is being used. I would suggest checking for any expired certificates in the System and Trusted stores.

These are the Microsoft related certificates (Trusted Certificates) I have installed in my lab that is working with ROPC.