09-23-2014 07:20 AM - edited 03-10-2019 10:03 PM
I have an ISE Primary Monitor node that the Server Certificate has expired. I generated a new CSR and it reported that it was created and could be viewed under the Certificate Signing Requests tab but it never showed up. Tried to re-generate but it now states that it already exists. Rebooted the device to see if that would fix the issue but the CSR is still not showing. For a test I created another CSR using the ip address of the device as the CN; and again it reported that it could be viewed but is not being displayed under the CSR tab. These are the log items when I created the initial CSR and what it shows when I tried to create another using the same CN. The version of ISE is 1.1.3.124. I was able to create CSR and update Certificates on the Administration/Policy nodes.
237 INFO 2014-09-22 11:43:07,237 [http-443-29][] cpm.admin.infra.action.LocalCertAddAction- Certificate Signing Request DC-ISE-2_int_fhfa_gov#PID$_NAC3315-SVR_______$_VID$_V01$_SN$_KQ586M0____ was created successfully. 2014-09-22 11:43:16,
174 ERROR 2014-09-22 11:44:33,174 [http-443-29][] cpm.admin.infra.action.LocalCertAddAction- Unable to import certificate : com.cisco.cpm.infrastructure.certmgmt.api.CertMgmtException: Resource Name 'NAC Group:NAC:CertificateRequests:DC-ISE-2_int_fhfa_gov#PID$_NAC3315-SVR_______$_VID$_V01$_SN$_KQ586M0____' already exists. 2014-09-22 11:44:36,
Thanks
Solved! Go to Solution.
09-23-2014 11:02 PM
It has been a while since I have used that version of ISE but I recall having similar issue. The only way I believe we were told of removing this was to either re-image the box or get TAC involved where they can use root access and remove the "object" that is stuck in the database. A couple of things you could try doing:
1. Generate the CSR using another application such as open ssl
2. Try upgrading to ISE 1.2 and see if that clears the DB
Thank you for rating helpful posts!
09-23-2014 11:02 PM
It has been a while since I have used that version of ISE but I recall having similar issue. The only way I believe we were told of removing this was to either re-image the box or get TAC involved where they can use root access and remove the "object" that is stuck in the database. A couple of things you could try doing:
1. Generate the CSR using another application such as open ssl
2. Try upgrading to ISE 1.2 and see if that clears the DB
Thank you for rating helpful posts!
09-26-2014 04:24 AM
Tried generating another CSR from a different app but no success.
Opened a TAC case and was told that this is a bug CSCuh91639, Worked with TAC engineer to have them go into the DB with root access on this node and the primary node to delete the CSR. Also had de-register the ISE from the deployment and then reset the ISE to default setting to have it create a new self signed cert to allow re-registering the device into the deployment. After this I was able to create a CSR and generate a cert from our CA.
Will look into updating to 1.2 since this bug is fixed in that version.
09-26-2014 04:13 AM
Sometimes its as simple as using another browser, try firefox, ie or chrome and see if it turns up
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide