Solved: Import root certificate with same subject and issuer name

Neelesh Marathe · ‎08-21-2018

Hello Team,

We have total 22 ISE nodes ( Including Admin+Mnt) in cluster and using ISE 2.4 version. We have already installed identity certificate for every node from private CA and assigned "Admin" role in ISE. We have also installed root certificate in Trusted store. All the certificates are SHA1 certificates.

Now customer has upgraded the same Certificate Authority server to support SHA 2 and provided us new identity and root certificates.

While importing the new root certificate, it is giving the following error.

"There is one system certificate with the same subject name and issuer but having a different serial number. Importing was aborted. For successful importing, you need to remove the other certificate first"

My questions are,

1. If I remove the earlier root certificate, not changing identity certificate role, will it impact ISE functionality?

2. Do I need to change "Admin role" to some other certificate first and then remove the root certificate ? and then install new root and Identity certificates.

Could you please guide us the correct way of importing the certificates in this scenarios

Thanks,

Neelesh Marathe

howon · ‎08-21-2018

1. Yes, but you will not be able to remove the root CA certificate until none of the identity certificates are tied to the old root CA

2. Yes, but make sure even after using another certificate temporarily, that the communication between PAN and secondary nodes are functioning before proceeding.

View solution in original post

howon · ‎08-21-2018

1. Yes, but you will not be able to remove the root CA certificate until none of the identity certificates are tied to the old root CA

2. Yes, but make sure even after using another certificate temporarily, that the communication between PAN and secondary nodes are functioning before proceeding.

Neelesh Marathe · ‎08-27-2018

Thanks Hosuk for your response. It answered my questions.