cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
646
Views
1
Helpful
3
Replies

Edit Trusted Certificate ISE 3.1.0.518 P3 of my Private CA

chris-lawrence
Level 1
Level 1

Team,

I'm trying to edit my private CA I use for EAP Authentication with my PSN's. For the EAP-TLS, everything works great - policy set validates the SHA-256(etc) for certificate handshakes and my endpoints are authenticated to the network. What I am experiencing is a problem with setting the "Certificate Status Validation" section for my imported Trusted Certificate.

As the logged on super admin, I can select any of the Cisco embedded Trusted Certs which are placed as part of the image and define this CRL Processing by selecting the checkbox and hitting Edit within Administration > System > Trusted Certificate - I'm able to edit the Trusted Certificate.

- BUT - for the Trusted Certificates I have placed - by doing a CSR from the PSN's and getting these Trusted Certificates in my PAN's - when I hit the checkbox and edit, nothing happens - I cannot edit my placed trusted certificates. Is it the way I imported my certificates in the first place? I use a PKCS7 (with the entire trusted chain) when I imported - system seems to see all my placed certs as good - I just cannot edit enabling the CRL processing.

These placed certificates are only located in my PSN's - perhaps that is the issue?

Thanks for the assist, Chris

1 Accepted Solution

Accepted Solutions

chris-lawrence
Level 1
Level 1

To be helpful the the community - I found that this was related to using alternate interfaces (other than GE0) as the UI interface. I had the same problem exceeding patch 3 - I reconfigured my cluster to place the UI on the GE0 with the other deployment needs and I was able to both path to 5 as well as edit my placed trusted certificate.

View solution in original post

3 Replies 3

poongarg
Cisco Employee
Cisco Employee

Hi Chris,

PKCS7 certificate files contains entire certificate chain. Kindly follow below community post:

https://community.cisco.com/t5/network-access-control/import-pkcs-7-certificate-into-cisco-ise-2-2/td-p/3092505

Later test and provide the results.

 

chris-lawrence
Level 1
Level 1

poongarg,

Thanks for your reply - I don't have an issue with the p7b - I got the issuing ca and root into the trusted certificates section of my ISE 3.1 build - My issue is I cannot "edit" these trusted certificates so that I can define a CRL URL as I could using one of the other embedded trusted certificates cisco define as part of a default build (e.g. the Baltimore trusted cert). I'm trying to change my "admin" certificates over to this private PKI so that my PANs are enrolled into that PKI - hopefully allowing me the "edit" them. Its my leading theory at this time. I only had my PSN's for EAP enrolled.

chris-lawrence
Level 1
Level 1

To be helpful the the community - I found that this was related to using alternate interfaces (other than GE0) as the UI interface. I had the same problem exceeding patch 3 - I reconfigured my cluster to place the UI on the GE0 with the other deployment needs and I was able to both path to 5 as well as edit my placed trusted certificate.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: