Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
489
Views
0
Helpful
2
Replies

ISE GUI fails to open in Chrome, "ERR_SSL_KEY_USAGE_INCOMPATIBLE"

Go to solution
thomashowe
Level 1
Level 1

‎06-07-2024 06:47 AM

Hello all,

I am experiencing this issue on one of my ISE PSN Servers running v3.1 patch 7. 

Cisco Bug: CSCwi63234 - ISE GUI will fail to open on Chrome with error "ERR_SSL_KEY_USAGE_INCOMPATIBLE"

The bug page says these are the work arounds:

Workaround: Use a different browser.  Resign the cert or use a different cert that includes "Digital Signature, Non-Repudiation" as the Key Usage.

Ok, using a different browser, same error.  (Used both Chrome and Edge, not permitted to use any other browsers).

What do they mean "Resign the cert or use a different cert that includes "Digital Signature, Non-Repudiation" as the Key Usage."???

I am an old school network engineer not a web guru nor a very proficient ISE administrator though I am learning fast.  Is there a solid documentation that tells me solve this or another blog with the steps outlining a solution because some poor person had to solve this on their own??

Thank you!!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎06-08-2024 02:17 PM

Hi there

As usual, badly written bug ID that doesn't offer much hope. I logged into CCO to read the "details" but there's not much to go on. Here's what I can tell you. When you make an ISE Admin cert, the CA that creates the cert for you, must use a template (e.g. in Microsoft Windows Server Certificate Authority) that includes "Digital signature" as the Key Usage. Here is a screenshot from Windows Server CA's template that can be used for any typical "Web Server" (like ISE Admin cert)

ArneBier_0-1717880681463.png

 

That's been working fine for since day 1. Non-repudiation doesn't even enter into the discussion.

Questions: 

  • When did your issue start? New install?
  • What does your Admin cert look like (look at the details in the browser) - what can you see in the Key Usage field?
  • Can you upgrade your ISE to 3.2 or 3.3 ? I know, easier said than done, but the train is moving and we need to stay on it. I have never seen this bug before and I recall being on ISE 3.1 some time ago.

 

Check your ISE cert - click on the padlock in Firefox and click Connection Secure

ArneBier_1-1717881020453.png

Then click on More Information, View Certificate

ArneBier_2-1717881235953.png

 

When the bug ID refers to "resigning the cert", they should have said "revoke the cert" and re-issue a new cert that includes the Digital Signature in the Key Usage field. If you stick with the Windows Server CA basic template "web server" you can't go wrong.

 

 

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Arne Bier
VIP
VIP

‎06-08-2024 02:17 PM

Hi there

As usual, badly written bug ID that doesn't offer much hope. I logged into CCO to read the "details" but there's not much to go on. Here's what I can tell you. When you make an ISE Admin cert, the CA that creates the cert for you, must use a template (e.g. in Microsoft Windows Server Certificate Authority) that includes "Digital signature" as the Key Usage. Here is a screenshot from Windows Server CA's template that can be used for any typical "Web Server" (like ISE Admin cert)

ArneBier_0-1717880681463.png

 

That's been working fine for since day 1. Non-repudiation doesn't even enter into the discussion.

Questions: 

  • When did your issue start? New install?
  • What does your Admin cert look like (look at the details in the browser) - what can you see in the Key Usage field?
  • Can you upgrade your ISE to 3.2 or 3.3 ? I know, easier said than done, but the train is moving and we need to stay on it. I have never seen this bug before and I recall being on ISE 3.1 some time ago.

 

Check your ISE cert - click on the padlock in Firefox and click Connection Secure

ArneBier_1-1717881020453.png

Then click on More Information, View Certificate

ArneBier_2-1717881235953.png

 

When the bug ID refers to "resigning the cert", they should have said "revoke the cert" and re-issue a new cert that includes the Digital Signature in the Key Usage field. If you stick with the Windows Server CA basic template "web server" you can't go wrong.

 

 

 

0 Helpful

Go to solution
thomashowe
Level 1
Level 1
In response to Arne Bier

‎06-10-2024 06:16 AM

Hello Arne,

Let me give this a go and see if I can solve this.

Side Note: We are planning an upgrade to ISE v3.2 patch 6.  We can't upgrade to v3.3 patch 2 since our WLC 9800s are running v17.9.5 which hasn't been approved for use with ISE v3.3 yet as per Cisco documentation & TAC Case.  They are testing/getting ready to test this combination as per TAC.

So, with that in mind, if I can't fix this then the upgrade will do it for me.  Thank you for your reply, sir!

0 Helpful
Customers Also Viewed These Support Documents