cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ISE 1.4 EAP certificate renewal issue

GLiquorish
Beginner
Beginner

Hi,

 

I have a four node ISE cluster that one of the EAP certificates has expired.  A new certificate has ben issued with the same subject as the exiting one.  I am prompted that I can only have two certificates with the same subject when I am replacing one with the same role (I am).  I get an Okay prompt but it won't let me continue and I can't remove the expired certificate because it reports "The EAP certificate cannot be deleted".

I did try to replace this before it expired but was running into the same issues.

How do I de-link this certificate for me to be able to replace it?

 

I have a 2.6 cluster that is currently being configured but would like to get this one ack up a running to give me more breathing space.

 

Regards

Gavin

1 ACCEPTED SOLUTION

Accepted Solutions

Anurag Sharma
Cisco Employee
Cisco Employee

Hi @GLiquorish ,

You have two choices here:

  1. You click on 'Edit' on another certificate on that node and choose EAP service. That way you can move the EAP service from the current certificate and then delete the expired EAP certificate. Next, add your new certificate and select EAP again. You should now have EAP on the new and shiny certificate.
  2. You create a new CSR, just like the expired EAP certificate, except for a minor change like OU, City, etc. Then you get it signed and bind it the with the CSR. It shouldn't give any warnings.
Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

View solution in original post

2 REPLIES 2

Anurag Sharma
Cisco Employee
Cisco Employee

Hi @GLiquorish ,

You have two choices here:

  1. You click on 'Edit' on another certificate on that node and choose EAP service. That way you can move the EAP service from the current certificate and then delete the expired EAP certificate. Next, add your new certificate and select EAP again. You should now have EAP on the new and shiny certificate.
  2. You create a new CSR, just like the expired EAP certificate, except for a minor change like OU, City, etc. Then you get it signed and bind it the with the CSR. It shouldn't give any warnings.
Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

Hi

Thanks for the response. 

I have managed to delete the old certificate but binding the new certificate to the CSR generates an "Internal error. Ask your system administrator to check the logs for more details" message.

 

The debug logs are showing the following two messages:

2020-06-17 14:01:26,573 ERROR [admin-http-pool132][] infrastructure.certmgmt.service.impl.LocalCertificateServiceImpl -:::::- Unexpected exception: com.cisco.cpm.infrastructure.certmgmt.api.CertMgmtException: Error occurred while deleting certificate from NSS DB: java.security.KeyStoreException: This PKCS11KeyStore does not support write capabilities

 

com.cisco.cpm.infrastructure.certmgmt.api.CertMgmtException: Error occurred while deleting certificate from NSS DB: java.security.KeyStoreException: This PKCS11KeyStore does not support write capabilities

 

Is it worth rebooting this server and if so, what is the cleanest way to do this?

 

Regards

Gavin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: