Cisco ISE Fails to Create CSR/Self Signed Certficate

CSCO10675262_2 · ‎08-16-2012

Hi,

I am trying to create a Certificate signing request for the Cisoe ISE, however it seems to keep prompting with an error "Failed to write to file". Looking at the logs file it gives the following errors for both CSR and self sign certificate creation:

ise-psc.log:

2012-08-13 17:10:41,592 ERROR 2012-08-13 17:33:41,592 [http-443-5][] cpm.admin.infra.action.LocalCertAddAction- Unable to import certificate : com.cisco.cpm.infrastructure.certmgmt.api.CertMgmtException: CSR generation failed: Failed to write to file

pki.log:

Crypto::Result=0, Initialize

Crypto::Result=207, Crypto.Manager.init - Module already initialized

Crypto::Result=0, Initialize Private Key Password Key File

Crypto::Result=0, Private key password key file /opt/CSCOcpm/prrt/config/prikeypwd.key exists, using it

Crypto::Result=0, Generating certificate sign request

Crypto::Result=1, Unable to encode private key

Crypto::Result=221, Unable to write private key file /opt/CSCOcpm/prrt/config/D09CFE0317AA476B8BA62125B357EB05.key

Crypto::Result=221, Unable to write private key blob by guid

Crypto::Result=0, Shutdown

Crypto::Result=0, Initialize Private Key Password Key File

Crypto::Result=0, Private key password key file /opt/CSCOcpm/prrt/config/prikeypwd.key exists, using it

Crypto::Result=0, Generating self-signed certificate

Crypto::Result=1, Unable to encode private key

Crypto::Result=221, Unable to write private key file /opt/CSCOcpm/prrt/config/9658B66AD99B40D08153644ABAF4F1EB.key

Crypto::Result=221, Unable to write private key blob by guid

Crypto::Result=0, Shutdown

The ise version is 1.1 Not too sure what may be causing the error?

Any help is appreciated.

Thanks.

Tarik Admani · ‎08-16-2012

Hi,

Did you try rebooting the appliance? I am curious to see if that fixes your problem.

Tarik Admani
*Please rate helpful posts*

edondurguti · ‎08-23-2012

Did you ever resolve this issue?

I have the same problem

Tarik Admani · ‎08-23-2012

Hi,

Is there another CSR already generated? If so, can you delete it and try it again?

Thanks,

Tarik Admani
*Please rate helpful posts*

edondurguti · ‎08-23-2012

NO other CSR, just the other cert imported from secondary ise when registering it as secondary and that needs to be there I assume.

edondurguti · ‎08-24-2012

Rebooting ISE fixed the issue.

CSCO10675262_2 · ‎08-25-2012

Hi Tarik,

We just manged to reboot the server and the issue is resolved after reboot. I was wondering if you may know the possible cause of it?

Thanks.

Tarik Admani · ‎08-25-2012

If you could send me the logs when you generate another CSR as a test I would like to see if the GUID changed or not when it was able to write the private key file:

/opt/CSCOcpm/prrt/config/D09CFE0317AA476B8BA62125B357EB05.key

Thanks,

Tarik Admani
*Please rate helpful posts*

edondurguti · ‎08-26-2012

Have you been able to sign that CSR by any third party CA?

I do follow this:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_cert.html#wp1077292 , but when I make a request at a third party CA ie thawte has a free trial version:

https://ssl-certificate-center.thawte.com/process/retail/trial_product_selector;jsessionid=75893E7019CD1CC2E330D5403CD8696F?uid=fe2b60347ab27960b866a286146b7c33&locale=THAWTE_US

when I submit a csr it's giving me an error saying csr needs a ORGANIZATION NAME eventhough i did put a name there.

I have been messing with openssl to create the request somehow.