cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11996
Views
30
Helpful
8
Replies

ISE can not Import Server Certificate

huang zhongwei
Level 1
Level 1

I want to use 802.1x EAP-TLS protocol authenticate client,then requested web server certificate from Microsoft 2003 CA server and saved it to my PC,  when I open local Certificates>Import Server  page in ISE , there is "Private Key File" item,but I don't know how generate this file.

In addition,after I Submit,ISE prompt "Unable to read certificate file - please be sure file is in PEM or DER format".

Anyone tell me how procedure I do,truly grateful.

1 Accepted Solution

Accepted Solutions

I found the answer -- after you generate a CSR request you need to load the certificate on the "Certificate Signing Requests" page (by selecting Bind Certificate) rather than trying to import it as a new certificate on the "System Certificates" page.

 

Cisco could make this more intuitive..... 

View solution in original post

8 Replies 8

Tarik Admani
VIP Alumni
VIP Alumni

Hi,

If you generated the CSR on the ISE node locally, you are choosing the wrong option. Please use the "Bind CA Signed Certificate" option instead. The private key is generated already when you created the CSR on the ISE.

As far as your 2nd question what are you doing to get this error? Are you generating a bogus private key file and trying to import this?

Thanks,

Tarik Admani
*Please rate helpful posts*

Venkatesh Attuluri
Cisco Employee
Cisco Employee

Steps for configuring certificate in ISE

Step 1 :Download the CA’s certificate

Step 2 :Trust the CA in ISE a. In ISE, go to Administration > System > Certificates > Certificates Authority Certificates

b. Add the CA certificate as a trusted certificate

Step 3: Create a certificate signing request (CSR)

Go to Administration > System > Certificates > Local Certificates, and click Add

b. Generate a certificate signing request

c. Export the CSR from Administration > System > Certificates > Certificate Signing Requests

d. Once saved, open the .PEM file with notepad and copy the entire contents to the clipboard.

Step 4: Submit the CSR to the CA for signing

Step 5: Bind the certificate to the signing request

a. In ISE, go to Administration > System > Certificates > Local Certificates and add the certificate by binding the certificate.

Step 6 :Confirm that the new ISE certificate is being used

a. Log out of ISE and close all browser windows

b. Reopen the browser and go to the ISE login page. Confirm that the browser is securing the https session using the new ISE certificate.

Can you clarify what you mean by, "Step 5: Bind the certificate to the signing request"? Note I am using ISE 2.3.

I found the answer -- after you generate a CSR request you need to load the certificate on the "Certificate Signing Requests" page (by selecting Bind Certificate) rather than trying to import it as a new certificate on the "System Certificates" page.

 

Cisco could make this more intuitive..... 

good.

when I`m trying to do Step 5: Bind the certificate to the signing request.

this error appear " Certificate path validation failed. make sure required Certificate chain is imported under Trusted Certificates "

 

 

You need to import the root and any intermediate certificates that are in the certificate chain of the signed / generated certificate.

You do this under the "Trusted Certificates" menu/page on the primary admin node.

My friend,

How can do it: Step 4: Submit the CSR to the CA for signing?

I am using 2.7 version ISE.

See the information and examples provided in How To Implement Digital Certificates in ISE

If there is something additional you are having trouble with, please provide more detail on what help you require.