cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
411
Views
0
Helpful
5
Replies

Invalid Password for Private Key when trying to bind CA signed cert

ITDept5418883
Level 1
Level 1

Hello,

I created a csr for an expired EAP Authentication cert on my ISE box and received a new cert from my local CA server.  When I try to gind the new cert to the csr I created, I receive a "Certificate/Private Key validation failed" message.  Problem is, the system never asked for a password when the csr was created.  So how do find the password or generate one? 

5 Replies 5

@ITDept5418883 are you attempting to import the certificate?

If you generated the CSR on the ISE node and this has been signed by the CA, you navigate to Administration > System > Certificates > Certificate Signing Requests, then tick the checkbox on CSR and click Bind Certificate

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217191-configuration-guide-to-certificate-renew.html#toc-hId--1724576993

 

Thanks for the reply Rob.  Unfortunately, when I follow the steps in the article you sent, I still get the same error message.

ITDept5418883_0-1714565346175.png

 

 

@ITDept5418883 was the signed identity certificate issued from the CSR you created on ISE?

I suggest recreating a new CSR from ISE GUI and get that signed by the CA and try again.

Rob,

We have a local AD integrated CA server that issues certs automatically to all workstations for authentication purposes on the ISE. We also use this CA server for the EAP Auth cert for ISE. I have created a CSR on ISE twice before, received a cert from the server and successfully imported into ISE.  I don't remember having this password issue previously and I would assume I would be prompted to create a password at some point which I'm not.

Sam is my name btw, sorry for the anonymous user name.

 

@ITDept5418883 Sam, if the CSR is generated on ISE the private key is stored locally. So as long the internal CA signs that CSR and you import the signed certificate it should work.

Have you attempted to generate a new CSR, get this signed and attempt to bind?

I have checked previous posts for the same error message and in this post the issue was traced back to the signed certificate.