cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

594
Views
0
Helpful
2
Replies
GLiquorish
Beginner

ISE 1.4 EAP certificate renewal issue

Hi,

 

I have a four node ISE cluster that one of the EAP certificates has expired.  A new certificate has ben issued with the same subject as the exiting one.  I am prompted that I can only have two certificates with the same subject when I am replacing one with the same role (I am).  I get an Okay prompt but it won't let me continue and I can't remove the expired certificate because it reports "The EAP certificate cannot be deleted".

I did try to replace this before it expired but was running into the same issues.

How do I de-link this certificate for me to be able to replace it?

 

I have a 2.6 cluster that is currently being configured but would like to get this one ack up a running to give me more breathing space.

 

Regards

Gavin

1 ACCEPTED SOLUTION

Accepted Solutions
Anurag Sharma
Cisco Employee

Hi @GLiquorish ,

You have two choices here:

  1. You click on 'Edit' on another certificate on that node and choose EAP service. That way you can move the EAP service from the current certificate and then delete the expired EAP certificate. Next, add your new certificate and select EAP again. You should now have EAP on the new and shiny certificate.
  2. You create a new CSR, just like the expired EAP certificate, except for a minor change like OU, City, etc. Then you get it signed and bind it the with the CSR. It shouldn't give any warnings.
Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

View solution in original post

2 REPLIES 2
Anurag Sharma
Cisco Employee

Hi @GLiquorish ,

You have two choices here:

  1. You click on 'Edit' on another certificate on that node and choose EAP service. That way you can move the EAP service from the current certificate and then delete the expired EAP certificate. Next, add your new certificate and select EAP again. You should now have EAP on the new and shiny certificate.
  2. You create a new CSR, just like the expired EAP certificate, except for a minor change like OU, City, etc. Then you get it signed and bind it the with the CSR. It shouldn't give any warnings.
Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

View solution in original post

Hi

Thanks for the response. 

I have managed to delete the old certificate but binding the new certificate to the CSR generates an "Internal error. Ask your system administrator to check the logs for more details" message.

 

The debug logs are showing the following two messages:

2020-06-17 14:01:26,573 ERROR [admin-http-pool132][] infrastructure.certmgmt.service.impl.LocalCertificateServiceImpl -:::::- Unexpected exception: com.cisco.cpm.infrastructure.certmgmt.api.CertMgmtException: Error occurred while deleting certificate from NSS DB: java.security.KeyStoreException: This PKCS11KeyStore does not support write capabilities

 

com.cisco.cpm.infrastructure.certmgmt.api.CertMgmtException: Error occurred while deleting certificate from NSS DB: java.security.KeyStoreException: This PKCS11KeyStore does not support write capabilities

 

Is it worth rebooting this server and if so, what is the cleanest way to do this?

 

Regards

Gavin

Content for Community-Ad