Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4288
Views
22
Helpful
13
Replies

Generating CSR Error on ISE for System Certificate used for EAP Authentication

Go to solution
colossus1611
Level 1
Level 1

‎04-14-2020 08:17 PM

Hi All,

 

Quite new to the whole experience of ISE and Certificate based authentication on it.

 

I am trying to generate a CSR for a System EAP authentication certificate that expires on 7th May for us. While trying to generate CSR however, I get below error message and the CSR does not get generated. How can I get beyond this? I am not sure if I should change any of the details from existing certificate.

ISE CSR Error.PNG

 

 

Thank you.

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to jewfcb001

‎10-05-2023 09:49 PM

You can do it that way, but it will cause a restart of the ISE services every time you move the Admin role to another certificate.

You can create a CSR with the same subject. ISE will throw a warning, but the old certificate won't be deleted until the new signed certificate is bound to the CSR.

My preference, however, is to make a minor change in the subject (like the OU) so you can install the new certificate without warning or replacement. You can then move the relevant role(s) to the new certificate. If there is any issue with the new certificate, you can easily move the role(s) back to the old certificate without having to re-import it with the private key (which would then delete the new certificate)

View solution in original post

0 Helpful
13 Replies 13

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎04-14-2020 08:36 PM - edited ‎04-14-2020 08:45 PM

Hi
The csr your generating must'nt have same values in all fields as the on existing today already in use. Have you validated that you're filling in the same values on all fields?

 

Edit:typo error


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
colossus1611
Level 1
Level 1
In response to Francesco Molino

‎04-14-2020 09:30 PM

Thank you for the inputs. So I can add to OU field and make it different and ensure it isn't use in any policy matching, and it should be fine.

 

Brings me to another important issue I am facing with CSR though - I am doing it for two nodes at the same time - how do I fill up the CN field under Subject in that case?

 

Thanks.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to colossus1611

‎04-14-2020 09:38 PM

There are two typical approaches... wildcard certificates or Subject Alternative Name (SAN).

Some clients might not support wildcard certs for EAP authentication so, when I've had a similar customer wanting to use a single EAP cert for multiple PSNs, I've used the SAN option.

You would create the CSR (on PSN1) such that the CN = PSN1 FQDN and the SAN field has both the PSN1 and PSN2 FQDNs (in that order).

You would then bind the cert to the CSR on PSN1, export the certificate with the key, then import the cert into PSN2.

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to colossus1611

‎04-14-2020 09:41 PM

Not sure i get your question correctly for cn.
By default, it's filled in with the keyword fqdn and ise will use the fqdn of each server automatically for each csr you generate (1 at a time).

If you want to have only 1 cert, you can do 1 csr, export it with its private key and import it on all other nodes.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
colossus1611
Level 1
Level 1
In response to Francesco Molino

‎04-14-2020 10:10 PM - edited ‎04-14-2020 10:10 PM

Thanks again.

 

So sounds like there is two ways, although I find it much simpler if I let it use the FQDN under CN field, if it works. Currently CN field has by default $FQDN$ so that should work so long as I update one of the other fields, say OU to differentiate the certs from the existing ones and then it should all fall in place.

So I would generate CSR with those two fields as below for eg.:

 

ISE CSR CN and OU field.PNG

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to colossus1611

‎04-15-2020 03:45 PM

Yes. If you want to have 1 certificate for both, you can add dns names into SAN. Also you can change the fqdn variable by something like eap.company.com to have something common. /however, you can move with 2 certificates as you said,

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
colossus1611
Level 1
Level 1
In response to Francesco Molino

‎04-21-2020 06:54 PM

One final query on this one guys - How can I restore previous certificate, if for any reason the new certificate does not work? Would it just be a matter of ticking/unticking the EAP authentication check box on the certificates? I note that currently I am not able to untick the EAP authentication option on the ceritificate in use. Also, should I be exporting the existing certificate with its private key as backup before changing over to new certificate? It might all turn out to be pretty straightforward, but I haven't been across such a change before, so trying to ensure all backup measures are in place. This one being EAP authentication certifciate, would affect all wired users authentication.

Thanks.
0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to colossus1611

‎04-21-2020 07:42 PM

ISE requires that the EAP function (usage) is assigned to a certificate (and only one) so you cannot simply remove EAP from the existing certificate. You would have to install a new certificate with the EAP usage and ISE will move the EAP usage from the old to the new cert.

As long as the new certificate has a different Subject than the old cert, the old cert should remain on ISE until you delete it. In that case, if the new cert does not work, you should be able to move the EAP usage back to the old cert.

Best practice, however, is to export all identity certificates with their keys and copy them to a safe location that has strong security controls. That way, you can simply re-import them in the event of an unrecoverable node failure and not have to create new CSRs, trust chains, etc.

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎04-14-2020 08:42 PM

ISE will not allow creating a CSR or binding a certificate that has the same Subject as another certificate. A common approach is to modify one of the certificate fields so that there is no matching Subject value.

I typically use the OU field in the certificate to indicate the Usage (Admin, EAP, etc) of the certificate to avoid duplicate Subject value issues. When renewing a certificate, I often just modify the same OU field slightly (like adding the Month/Year) to produce a unique Subject value.

I haven't seen anyone using the OU attribute as a matching condition in policies, so it is often easy to change.

Go to solution
jewfcb001
Level 4
Level 4

‎10-04-2023 09:34 PM

@Greg Gibbs 
Hi Greg
How to renew certificate with the same CN,OU,O,....? 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to jewfcb001

‎10-05-2023 03:49 PM

If you install a certificate with the same Subject as an existing certificate, ISE will throw a warning and the existing certificate will be deleted and replaced with the new one. If you run into issues with the new certificate, you will need to re-import the old certificate with the private key, which will again replace the new one.

0 Helpful

Go to solution
jewfcb001
Level 4
Level 4
In response to Greg Gibbs

‎10-05-2023 06:34 PM

@Greg Gibbs 
You mean . 
1. Delete the exsiting certificate and change role (Admin / EAP Authen / Portal) to new Cert 
2. CSR with same attribute and sign then install to ISE change role to (Admin/EAP Authen/Portal)
Am I correct?

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to jewfcb001

‎10-05-2023 09:49 PM

You can do it that way, but it will cause a restart of the ISE services every time you move the Admin role to another certificate.

You can create a CSR with the same subject. ISE will throw a warning, but the old certificate won't be deleted until the new signed certificate is bound to the CSR.

My preference, however, is to make a minor change in the subject (like the OU) so you can install the new certificate without warning or replacement. You can then move the relevant role(s) to the new certificate. If there is any issue with the new certificate, you can easily move the role(s) back to the old certificate without having to re-import it with the private key (which would then delete the new certificate)

0 Helpful
Customers Also Viewed These Support Documents