cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

642
Views
8
Helpful
6
Replies
Highlighted
Beginner

ISE 1.1.1 Certificate Issue

I've an ISE deployment of two nodes. I generated a CSR, self signed it and bind it in the ISE. It was working fine. Now when i wanted to change the certificate with a new authority. I took the same CSR and signed it with different authority. But after uploading it to the ISE and deleting the old one, i'm still getting the same certificate when i do https. I deleted the old certificate from secondary node also and rejoined it. Even i restarted the ise appliance but still getting the old certificate from primary node.

Is this a bug or do i need to change something? I already seletected the new certificate for HTTPS and EAP authentications.

Thanks,

Zohaib

6 REPLIES 6
Highlighted
Beginner

Is the old cert gone from the cert store?
Make sure it's not knocking around somewhere.
I've seen similar, but deleted old cert and app stop ise, app start ise cured it.

Sent from Cisco Technical Support iPhone App

Highlighted
Cisco Employee

Hmm that is very interesting. You can try this:

- Instead of deleting the old cert, just import the new cert and check the box to "override" the existing one for the HTTPS protocol. If successful the services on the affected node will restart.

Thanks for rating!

Highlighted
Beginner

@bikespace

I checked all the locations in primary and secondary node but couldn't find the old one. After i deleted the old one, i did stop, start the ise app but same problem.

@Neno

That's what i did in the start, i didn't delete the old one, just override it with new one and stop start the ise app. It was still giving me the old cert, that's why i delete it.

It seems like the old cert is stored somewhere in the disk, which is ofcourse not accessbile. My last option would be to backup and factory default both boxes, restore and generate new certificates since the backup doesn't backup certs.

Thanks,

Zohaib

Highlighted

If you are having that much trouble with it I would recommend that you escalate it with TAC. They can provide you with a root patch which will give you root access to the system and the cert can be manually deleted that way. Otherwise if you backup the system and factory restore it you are risking of ending up at the same place where you started

Thanks for rating!

Highlighted
Beginner

Highlighted

The issue was resolved after i install certificates signed by new CA server and restart both the boxes. After the restart every thing came to normal with only one certificate selected for EAP and HTTPS authentications.

I guess some internal process was hanged and it resolved after restart.

Thanks,

Zohaib