Solved: Certificate/Private Key validation failed

ymadheka · ‎11-06-2017

Hi Team,

Facing an issue while importing certificate in the ISE 2.3 PoV. The onsite partner has clarified that the CSR file created and signed by the CA (digicert is used for signing the request) has been created as per the documented process but at the time of importing throws the error of Certificate/Private Key validation failed. The error is as attached here.

Kindly suggest for any specific conditions to be checked on the same.

Jason Kunst · ‎11-10-2017

Self signed cents in testing will fail for some clients! For example Apple iOS byod onboarding in latest builds has been secured by Apple and will present awful onboarding experience for the user as they will have to manually trust certificate after going through byod flow and have to go through it again

Guest redirects may fail in latest browsers as vendors are cracking down on bad certificate and best practice

Do not deploy self signed certs in production

Please see admin guide recommendation of using well known certificate with wildcard in the SAN for a good solution

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_0110.html?bookSearch=true#concept_8ECCCAF1252E40DDB9A786C0AC7BC3B2

View solution in original post

ognyan.totev · ‎11-07-2017

I think this is because missing ROOT CA in trusted store .This will help you How To: Implement ISE Server-Side Certificates

ymadheka · ‎11-10-2017

Hi,

Thanks for the response.

We have managed to solve the issue with wildcard certificate signed by CSR generated from ISE. We also understand that the customer is currently having a wildcard certificate in their internal CA hence we need the wildcard certificate for the ISE portals and functionalities which is not working since the Windows clients rejects certificate with * in the CN name. In this case if we uncheck the Validate Server Certificate the redirection but still it is not working.

Kindly clarify if we can use self signed certificate to achieve the ISE AAA, BYOD and posture capabilities.

ognyan.totev · ‎11-10-2017

Hi again yes you can use self signed certificate for different portals.Just go in certificate authority system certificates choose self-sign certificate and edit it to use for portals .

Jason Kunst · ‎11-10-2017

Self signed cents in testing will fail for some clients! For example Apple iOS byod onboarding in latest builds has been secured by Apple and will present awful onboarding experience for the user as they will have to manually trust certificate after going through byod flow and have to go through it again

Guest redirects may fail in latest browsers as vendors are cracking down on bad certificate and best practice

Do not deploy self signed certs in production

Please see admin guide recommendation of using well known certificate with wildcard in the SAN for a good solution

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_0110.html?bookSearch=true#concept_8ECCCAF1252E40DDB9A786C0AC7BC3B2

ymadheka · ‎11-13-2017

Hi Jason,

Thanks for the clarification and suggestion.

We will work on the same and let you know in case of any further queries.

Best Regards,

Yogesh Madhekar

ognyan.totev · ‎11-15-2017

There is a document for guest wired access ,what kind of acl you use,

Central Web Authentication with a Switch and Identity Services Engine Configuration Example - Cisco

Also you can check Cisco Identity Services Engine Network Component Compatibility, Release 2.3 - Cisco

ymadheka · ‎11-15-2017

We are using self signed certificate but the issue is that the redirection is not working, getting the error screenshot as mentioned above with error as stated here:

After diagnosing the issue, it has been found that the Radius Authentication is failing on the Cisco Attribute Value (Cisco AVpair) "coa-skip-logical-profile="

Has anyone got any idea into this error?

Jason Kunst · ‎11-16-2017

call the tac to debug switching issues

hslai · ‎11-16-2017

Known bugs:

CSCvg70582 (ISE bug)

CSCsx97093 (Switch bug)

Douglas Koja · ‎02-18-2020

I had the same problem today, 2/17/2020.

The problem is the format of the certificates.

The Certificate must be in .PEM or .DER format.

The Private Key must be in .KEY format.

Obeying these requirements, and using the correct password, the procedure works.

Here I imported DigiCert's Root, but I don't know if this step is really necessary, in any case it doesn't hurt.