Running ISE 2.1
The certificate used by the portal (Default Portal Cetificate Group) is about to expire.
Under "Administration" -> "System" -> "Certificate Management" -> "Certificate Signing Request", I generated a new CSR, submitted it to the CA for signing, and later did a "Bind Certificate" with the reply.
All this was successfull.
Under "System Certificates", the new certificate is listed as ok, with the same "Issued to" as the current cert, but as expected with a different "Issued by" etc.
I select the new certificate, do "Edit", check usage "Portal" and "Default Portal Certificate Group" and submit.
I acknowledge the warning "The Portal tag is already assigned to the following certificate(s). If you proceed, it will be removed from the existing certificates, and affected portals will be restarted. Do you want to proceed?" and again I get a toaster feedback that everything went ok.
However: After this, the portal is unaccessible. In fact, nmap shows that port 8443 it should run at is "closed". Only when I switch back to the old certificate, it becomes accessible again ...
What is going wrong here?