Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
775
Views
10
Helpful
3
Replies

ISE - Deploy certificate .cer (portal)

Go to solution
CSCO12052314
Level 1
Level 1

‎07-15-2022 01:50 PM

Hello.

I have a question about certificate deploy. Currently, I’ve a public certificate that is being used to portal guest, but this one is expired. So, our costumer has generated a new cert using the same public CA, but this cert has no PVK, and I can’t export other format instead of “.cer”. I can’t import .cert, because is mandatory be a .pem + pvk and a password.

I know that the normal and the easiest way is to generate a "csr", sign and then bind this one, or get a correct certificate (PEM + PVK), but:

I ever have listened that is it possible to manipulate the certificate chain of the expired certificate, but I have no sure if it’s possible.  Have ever anyone manipulated the chain of the certificate to be possible import a “.cer”?

Note.: I’m trying to use that one “.cer” on “System Certificates”

ISE Version: 2.4.0.357

Regards.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-16-2022 05:49 PM

We cannot import a system certificate with only the certificate and without the corresponding private key.

Please ask how the customer generated the new certificate. Some public CA might re-use the CSR that provided previously and then it would use the same private key. If the previous certificate is one of ISE server certificates, then just export it with the private key and re-import the private key with the new certificate.

View solution in original post

Go to solution
ahollifield
VIP
VIP
In response to CSCO12052314

‎07-18-2022 05:54 AM

Correct^ The best and most secure way is to generate a CSR directly on the ISE node the certificate will be bound to.  In this case, the private key never has to leave the ISE node and will not be exposed to improper/non-secure storage.

View solution in original post

3 Replies 3

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-16-2022 05:49 PM

We cannot import a system certificate with only the certificate and without the corresponding private key.

Please ask how the customer generated the new certificate. Some public CA might re-use the CSR that provided previously and then it would use the same private key. If the previous certificate is one of ISE server certificates, then just export it with the private key and re-import the private key with the new certificate.

Go to solution
CSCO12052314
Level 1
Level 1

‎07-18-2022 05:30 AM

 

 Hello.

Thank you for your information.

Unfortunately, our customer hasn’t re-used the same CSR, he has excluded the old certificate and generated a new one, there aren’t any relation with old cert. So, I guess that have no way; we must get a certificate with PVK.

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to CSCO12052314

‎07-18-2022 05:54 AM

Correct^ The best and most secure way is to generate a CSR directly on the ISE node the certificate will be bound to.  In this case, the private key never has to leave the ISE node and will not be exposed to improper/non-secure storage.

Customers Also Viewed These Support Documents