Re: CErtificate guest ISE

athan1234 · ‎07-15-2025

My customer neeed s to upgrate expaire certificate guest portal .

I n my head allwys has the same create rthe CSR and after of taht bind the certificate . I always made this way for what if you fgenerete the csr from ise the key is inide and ypu pas the private key and after of that whn the customer recive the csr an bind fort oytr part thereis no a key file it is more esay( this is my terohi i founfd lonh time ago maybe the explication is not good)

My customre pass to me the diferent file when i tried to bind i recibve this erros

I forgot which file i need to use for bind i chosse

in the first toime i tried to use .crt

I get the errror first it is necesary toi put in trusted i puttting in truisted i get this errro r

ANd i tester with .pem another error.

I am seraching in google and the solucion i see it is create a note pad with 3 certificates .cer.cert.and intermedete . and save .pem and trynt to binded it is a good solution

Rob Ingram · ‎07-15-2025

@athan1234 the new certificate has the same attributes as the existing certificate, and you cannot import the new certificate unless these are different, hence the error.

Either create a new certificate, with slightly different attributes or temporarily assign the guest portal usage to another certificate on the same node. Delete the expiring guest certificate and then install the new guest certificate and assign the usage.

athan1234 · ‎07-15-2025

Thank you for the clarification! That makes sense - the error is because there's already a certificate with the same attributes installed in ISE.

Just to confirm, these are the steps I should follow:

Temporarily change the portal certificate assignment:
- Go to Administration > System > Certificates > Certificate Management > System Certificates
- Find another valid certificate (can be the ISE self-signed certificate)
- Edit its "Usage" and check "Portal"
- Save the changes
Delete the old certificate:
- Once the portal is using a different certificate, find the old "xxxxxxxxxres.com" certificate
- Select it and click "Delete"
Bind the new certificate:
- Select my CSR (Certificado_Guest_Portal_2025)
- Click "Bind CA Signed Certificate"
- Use the file xxxxxxxxxxxcom.crt (just the certificate file, not the bundle)
Assign "Portal" usage to the new certificate:
- Once imported, edit the new certificate
- Check the "Portal" checkbox in Usage
- Save the changes

Is this the correct process? Should I use just the certificate file (.crt) for the bind, or do I need to include the intermediate certificates in a bundle?

Rob Ingram · ‎07-15-2025

@athan1234 yes the procedure looks ok, perhaps backup the old certificate before deleting (just in case).

As it's the same issuer issued the new certificate the intermediate root certificates that are part of that bundle should not be required to be imported again.

athan1234 · ‎07-15-2025

I get this error: 'The certificate is already expired.' My customer is aware of this. When I try to delete it, I get this error

Rob Ingram · ‎07-15-2025

@athan1234 change the usage of a temp certificate to portal or you could just modify those portals and change the certificate tag. Then you can complete the task of importing the new certificate.

athan1234 · ‎07-15-2025

How can I modify the portal? My brain's not working properly today.

Rob Ingram · ‎07-15-2025

@athan1234 select a temp certificate and change the usage to "Portal"?

MHM Cisco World · ‎07-15-2025

Dustin Anderson · ‎07-15-2025

Just to clarify, edit a temp certificate to use, add the portal and select the default portals from the drop down menu to reassign them. I think just selecting portal won't reassign them directly.

athan1234 · ‎07-16-2025

@Rob Ingram @Dustin Anderson

Ok i did it . Whne i tritd to add the bind i recived an error . But now.

I am using a certificate with the .crt extension.

When I added it to the trusted certificates, I received this warning

Dustin Anderson · ‎07-16-2025

ok, the first error is expected as when you reassign the portals they restart to apply the cert. This is not a system restart so not disruptive. I have not seen the second error, but question is when you got the cert, did you get just the cert, or is it the cert with chain? I usually load the cert with chain.

athan1234 · ‎07-17-2025

I don't know, always I pass to the customer the CSR and then they pass to the company certificates my CSR and the pass to me the fiklles join and afetr taht i bingd the certicficae they pass to me alwys forget wich one is the certificate extension i need to bind . But in this case ima having issue

athan1234 · ‎07-21-2025

The problem now is that I selected the portal for another certificate. for replace the earlier one, but now when the customer try to connect, the portal doesn't appear. can I select the last certificate with the portal and check the option for the portal so that it can work, at least.