Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2074
Views
0
Helpful
2
Replies

ISE 1.4 EAP certificate renewal issue

Go to solution
GLiquorish
Level 1
Level 1

‎06-11-2020 07:50 AM

Hi,

 

I have a four node ISE cluster that one of the EAP certificates has expired.  A new certificate has ben issued with the same subject as the exiting one.  I am prompted that I can only have two certificates with the same subject when I am replacing one with the same role (I am).  I get an Okay prompt but it won't let me continue and I can't remove the expired certificate because it reports "The EAP certificate cannot be deleted".

I did try to replace this before it expired but was running into the same issues.

How do I de-link this certificate for me to be able to replace it?

 

I have a 2.6 cluster that is currently being configured but would like to get this one ack up a running to give me more breathing space.

 

Regards

Gavin

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Anurag Sharma
Cisco Employee
Cisco Employee

‎06-11-2020 08:59 AM

Hi @GLiquorish ,

You have two choices here:

  1. You click on 'Edit' on another certificate on that node and choose EAP service. That way you can move the EAP service from the current certificate and then delete the expired EAP certificate. Next, add your new certificate and select EAP again. You should now have EAP on the new and shiny certificate.
  2. You create a new CSR, just like the expired EAP certificate, except for a minor change like OU, City, etc. Then you get it signed and bind it the with the CSR. It shouldn't give any warnings.
Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Anurag Sharma
Cisco Employee
Cisco Employee

‎06-11-2020 08:59 AM

Hi @GLiquorish ,

You have two choices here:

  1. You click on 'Edit' on another certificate on that node and choose EAP service. That way you can move the EAP service from the current certificate and then delete the expired EAP certificate. Next, add your new certificate and select EAP again. You should now have EAP on the new and shiny certificate.
  2. You create a new CSR, just like the expired EAP certificate, except for a minor change like OU, City, etc. Then you get it signed and bind it the with the CSR. It shouldn't give any warnings.
Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.
0 Helpful

Go to solution
GLiquorish
Level 1
Level 1
In response to Anurag Sharma

‎06-17-2020 07:16 AM

Hi

Thanks for the response. 

I have managed to delete the old certificate but binding the new certificate to the CSR generates an "Internal error. Ask your system administrator to check the logs for more details" message.

 

The debug logs are showing the following two messages:

2020-06-17 14:01:26,573 ERROR [admin-http-pool132][] infrastructure.certmgmt.service.impl.LocalCertificateServiceImpl -:::::- Unexpected exception: com.cisco.cpm.infrastructure.certmgmt.api.CertMgmtException: Error occurred while deleting certificate from NSS DB: java.security.KeyStoreException: This PKCS11KeyStore does not support write capabilities

 

com.cisco.cpm.infrastructure.certmgmt.api.CertMgmtException: Error occurred while deleting certificate from NSS DB: java.security.KeyStoreException: This PKCS11KeyStore does not support write capabilities

 

Is it worth rebooting this server and if so, what is the cleanest way to do this?

 

Regards

Gavin

0 Helpful
Customers Also Viewed These Support Documents