Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1972
Views
0
Helpful
2
Replies

ISE 2.4 Stuck "Default Portal Cetificate Group" certs

Go to solution
joe_lizzi
Level 1
Level 1

‎03-04-2020 01:01 PM

I have an interesting issue on one of my ISE 2.4 (Patch 11) nodes. It has somehow managed to get two separate certs assigned to the "Default Portal Certificate Group". For example:

 

  Name: portal-ssl-1.ise    Use: Portal    Portal group tag: Default Portal Certificate Group

  Name: portal-ssl-2.ise    Use: Portal    Portal group tag: Default Portal Certificate Group

 

(Note: portal-ssl-2 was imported as a replacement for portal-ssl-1, but instead of switching the tag to the newer cert, it instead seems to have duplicated it.) It won't let me delete either one of them, complaining that they're in use by existing portals. It won't let me edit either one to use a different group tag. I don't have this issue on any of the other nodes in the cluster, all of which had their certs updated.

 

Is there a way to resolve this, perhaps via CLI?

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎03-04-2020 01:55 PM

You might try the following:

  1. Export the 'portal-ssl-2' certificate and key to back them up
  2. Create a new self-signed certificate and bind it to the Default Portal Certificate Group
  3. Delete both the 'portal-ssl-1' and 'portal-ssl-2' certificates
  4. Import the 'portal-ssl-2' certificate and key and bind it to the Default Portal Certificate Group
  5. Delete the self-signed certificate

If that still fails, you will need to open a TAC case. Fixing these types of certificate binding issues typically requires TAC using the root patch to delete the certificate bindings directly from the database.

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎03-04-2020 01:55 PM

You might try the following:

  1. Export the 'portal-ssl-2' certificate and key to back them up
  2. Create a new self-signed certificate and bind it to the Default Portal Certificate Group
  3. Delete both the 'portal-ssl-1' and 'portal-ssl-2' certificates
  4. Import the 'portal-ssl-2' certificate and key and bind it to the Default Portal Certificate Group
  5. Delete the self-signed certificate

If that still fails, you will need to open a TAC case. Fixing these types of certificate binding issues typically requires TAC using the root patch to delete the certificate bindings directly from the database.

 

0 Helpful

Go to solution
joe_lizzi
Level 1
Level 1
In response to Greg Gibbs

‎03-05-2020 09:53 AM

Okay, looks like it's really stuck in a weird way. It let me assign the self-signed cert to the Portal, but it only took the role away from "portal-ssl-1", leaving "portal-ssl-2" and the self-signed cert assigned to Default Portal duty.

 

I'll either call TAC or simply reinstall the node. (Probably the latter, since I'm now wary of what else may be messed up on it, and it's currently in a backup role anyway.)

 

Thank you for the help, Greg.

0 Helpful
Customers Also Viewed These Support Documents