cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2224
Views
4
Helpful
6
Replies

Binding Certificate/Private Key validtion failed

Ruelb2214
Level 1
Level 1

Hello All,

Has anyone encounter issue when they bind certificate, error will pop-up certificate/private key validation failed.

We have generated CSR in Cisco ISE for Portal usage, then we submitted to public CA to signed, they send us .crt file including the intermediate certificate, I uploaded the intermediate .crt to Trusted Certificate. Then I bind the signed cert in, after click submit its shows error certificate/private key validation failed.

Can someone guide me, is it correct to use the .crt file in binding or must use the .pem file? because the public CA onlne send us .crt file.

1 Accepted Solution

Accepted Solutions

ammahend
VIP
VIP

basic check but I am assuming you also have the root certificate in trusted certificate store and not just intermediate.

seems when you are binding the signed certificate ISE is not able to decrypt the signed public certificate with the private key generated in system when you generate CSR. I am not sure you can export private key out of ISE to test this out,  might be easier to just generate a new CSR, enure complete chain in imported in trusted store and then bind again, don't think you will have to pay again, you should be able to revoke and sign a new CSR with your CA.

-hope this helps-

View solution in original post

6 Replies 6

Ruelb2214
Level 1
Level 1

well I got .pem file but still shows error certificate/private key validation failed. Anyone has idea what is wrong on my config?

Hello @Ruelb2214,

Use external tools, such as OpenSSL, to validate the certificate and private key outside of the Cisco ISE environment. This can help identify any issues with the certificate files themselves:

openssl x509 -in certificate.pem -text -noout
openssl rsa -in privatekey.pem -check

These commands will check the certificate and private key respectively for any errors or issues.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

hello, you finally succeeded? i have the same problem

@ammahend thanks for your feedback.

@JuanG Gonzalez Bravo yeah was able to resolved. I trace back to the CA, and there was problem in CA when it sign the cert.

ammahend
VIP
VIP

basic check but I am assuming you also have the root certificate in trusted certificate store and not just intermediate.

seems when you are binding the signed certificate ISE is not able to decrypt the signed public certificate with the private key generated in system when you generate CSR. I am not sure you can export private key out of ISE to test this out,  might be easier to just generate a new CSR, enure complete chain in imported in trusted store and then bind again, don't think you will have to pay again, you should be able to revoke and sign a new CSR with your CA.

-hope this helps-

Do you get cert from ppan span or other node?

Can I see the tree of cert