ISE - Certificate and mismatched private key

Mikael Gustafsson · ‎01-30-2013

Hi,

Doing a upgrade on a ISE deployment I made a backup of all server certificate with the privet key, in case of..

On one of the policy nodes I wanted to try if 'application config-reset' would speed up the upgrade. (from 1.1.0 to 1.1.1 takes about 1h/node)

I did clear the configuration and after the node was upgrade I tried to import the certificate and private key but got an error:

key pair import failed: Mismatched private key.

After some testing back and forth I did a hash match in openssl and I see that it dose'nt match. I also tested the other 3 certificate with keys and they and it looks loike I got the same problem there. I tried to unpack the cert.zip file with diffrent unarchivers, same problem.

Anyone seen this before?

OSX:openssl x509 -noout -text -in newxxisepol2.pem | openssl md5

(stdin)= 8b8a00005e4245b4cb1e1b789d818413

OSX:openssl rsa -noout -modulus -in newxxisepol2.pvk | openssl md5

Enter pass phrase for newxxisepol2.pvk:

(stdin)= 498a4e136f7019a0f6f6d60129b0eb5d

Cheers

M

nickbettison · ‎06-14-2013

Hello,

Did you resolve?

I am seeing the same issue.... key import after an `application config-reset` fails. Certs checked and look ok:

linickx:certs nick$ openssl x509 -noout -modulus -in s.cer | openssl md5

f694b168f1e16b4163bd69c71b3af50d

linickx:certs nick$

linickx:certs nick$ openssl req -noout -modulus -in s.csr | openssl md5

f694b168f1e16b4163bd69c71b3af50d

linickx:certs nick$

linickx:certs nick$ openssl rsa -noout -modulus -in s.key | openssl md5

f694b168f1e16b4163bd69c71b3af50d

linickx:certs nick$

rgds,

Nick

Mikael Gustafsson · ‎06-14-2013

Hi Nick,

Yes I got the cert back on the ISE, i did a reload on the server and after that I could import the certificate again.

Not the best answer, a bit like banging an old telly, but it did trick for me.

Cheers

nickbettison · ‎06-14-2013

Thank's for getting back to me

A reboot didn't fix it, but I did find the problem... somehow I ended up with miss-matching openssl formats....

To generate my pri key I used:

> openssl genrsa -out s.key 2048

the CA issed me a certificate.p7b, which I converted for use with ISE:

> openssl pkcs7 -print_certs -in certificate.p7b -out s.cer

Using this s.key & s.cer together generated the "key pair import failed: Mismatched private key." error.

To fix, I standardised the files with:

> openssl rsa -in s.key -text > private.pem

> openssl x509 -inform PEM -in s.cer > public.pem

Hopefull that'll help someone else in the future.

cheers,

Nick

bbosch4210 · ‎08-02-2013

I too had this issue. I exported the certificate and private key prior to re-install. This generated a ZIP file.

When I tried to import, I got the mismatch error.

I think that the fix was to simply rename the .pem file to a .cer file after I unzipped.

I'm not 100% on this, but if someone has this issue, please try this and confirm.

Thanks

George Stefanick · ‎08-02-2013

This brings up a good question. If you do a CSR in ISE is the private key accessible ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

nickbettison · ‎08-05-2013

>If you do a CSR in ISE is the private key accessible ?

Only after the certificate has been issued. i.e. the "local certificates" page allows export of pub/priv keypair via the export button, however the export button on the "Certificate Signing Requests" will only export the signing request.