Showing results for 
Search instead for 
Did you mean: 

How to generate/export a private key in ISE 2.0: Any idea?




     Curious to know the process mentioned in the title of this discussion. I'm looking everywhere for this, but cannot find it so far. Any detailed explanation on how this can be achieved would be greatly appreciated.


Thank you in advance.


Accepted Solutions

Extract Private Key from .pfx


openssl pkcs12 -in Client-cert.pfx -nocerts -out key.pem -nodes


Extract Cert from .pfx


openssl pkcs12 -in certname.pfx -nokeys -out cert.pem

View solution in original post


Flavio Miranda



Cisco does not recommend exporting the private key associated with the certificate because its value may be exposed. If you must export the private key, you must specify an encryption password for the private key. You will need to specify this password while importing this certificate into another Cisco ISE server to decrypt the private key."


Anyway, you can do this on the Administration / System / Certificate.


-If I helped you somehow, please, rate it as useful.-

Thank you for the response. 


I'm honing in on exactly what is required now. My apologies for shifting off my previous predicament (not too tangential to what was initially stated).


We are looking to import the server certificate into our ISE PSN node.


It looks as if we:


A) Need to generate a private key via ISE web GUI (not sure where this is done via ISE web GUI. We already purchased and installed the public key)


Then go to Administration > System > Certificates > System Certificates and:


  1. Select Node (we can do this w/o issue)
  2. Choose our Certificate File (it sees our crt file w/o issue)
  3. *Choose our Private Key File (no idea where this is. When we select the "Choose File" button nothing comes to view).
  4. Go from there

(where "*" (3.) = actual issue at hand)

How did you purchase the certificate? To have a certificate issued to you in the first place, you need to have a private/public key generated on the server that you want the cert on. Out of that you send the public key to the CA (along with other attributes) and get it signed. You then import the certificate to the server, which then logically binds the private and public key together.


If I understand your question correctly, you already have a certificate issued to another server. You want to be able to export that cert and import that into ISE, like you would do for a Wildcard cert. If so, what you would need to do is export the certificate and key from that server as a pkcs12 file (or pfx for windows). This file has to be then split into private and public key using openssl. How to do this is given here:


Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile

You can then import this separately on ISE.