cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
752
Views
0
Helpful
2
Replies

ISE GUI fails to open in Chrome, "ERR_SSL_KEY_USAGE_INCOMPATIBLE"

thomashowe
Level 1
Level 1

Hello all,

I am experiencing this issue on one of my ISE PSN Servers running v3.1 patch 7. 

Cisco Bug: CSCwi63234 - ISE GUI will fail to open on Chrome with error "ERR_SSL_KEY_USAGE_INCOMPATIBLE"

The bug page says these are the work arounds:

Workaround: Use a different browser.  Resign the cert or use a different cert that includes "Digital Signature, Non-Repudiation" as the Key Usage.

Ok, using a different browser, same error.  (Used both Chrome and Edge, not permitted to use any other browsers).

What do they mean "Resign the cert or use a different cert that includes "Digital Signature, Non-Repudiation" as the Key Usage."???

I am an old school network engineer not a web guru nor a very proficient ISE administrator though I am learning fast.  Is there a solid documentation that tells me solve this or another blog with the steps outlining a solution because some poor person had to solve this on their own??

Thank you!!

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

Hi there

As usual, badly written bug ID that doesn't offer much hope. I logged into CCO to read the "details" but there's not much to go on. Here's what I can tell you. When you make an ISE Admin cert, the CA that creates the cert for you, must use a template (e.g. in Microsoft Windows Server Certificate Authority) that includes "Digital signature" as the Key Usage. Here is a screenshot from Windows Server CA's template that can be used for any typical "Web Server" (like ISE Admin cert)

ArneBier_0-1717880681463.png

 

That's been working fine for since day 1. Non-repudiation doesn't even enter into the discussion.

Questions: 

  • When did your issue start? New install?
  • What does your Admin cert look like (look at the details in the browser) - what can you see in the Key Usage field?
  • Can you upgrade your ISE to 3.2 or 3.3 ? I know, easier said than done, but the train is moving and we need to stay on it. I have never seen this bug before and I recall being on ISE 3.1 some time ago.

 

Check your ISE cert - click on the padlock in Firefox and click Connection Secure

ArneBier_1-1717881020453.png

Then click on More Information, View Certificate

ArneBier_2-1717881235953.png

 

When the bug ID refers to "resigning the cert", they should have said "revoke the cert" and re-issue a new cert that includes the Digital Signature in the Key Usage field. If you stick with the Windows Server CA basic template "web server" you can't go wrong.

 

 

 

View solution in original post

2 Replies 2

Arne Bier
VIP
VIP

Hi there

As usual, badly written bug ID that doesn't offer much hope. I logged into CCO to read the "details" but there's not much to go on. Here's what I can tell you. When you make an ISE Admin cert, the CA that creates the cert for you, must use a template (e.g. in Microsoft Windows Server Certificate Authority) that includes "Digital signature" as the Key Usage. Here is a screenshot from Windows Server CA's template that can be used for any typical "Web Server" (like ISE Admin cert)

ArneBier_0-1717880681463.png

 

That's been working fine for since day 1. Non-repudiation doesn't even enter into the discussion.

Questions: 

  • When did your issue start? New install?
  • What does your Admin cert look like (look at the details in the browser) - what can you see in the Key Usage field?
  • Can you upgrade your ISE to 3.2 or 3.3 ? I know, easier said than done, but the train is moving and we need to stay on it. I have never seen this bug before and I recall being on ISE 3.1 some time ago.

 

Check your ISE cert - click on the padlock in Firefox and click Connection Secure

ArneBier_1-1717881020453.png

Then click on More Information, View Certificate

ArneBier_2-1717881235953.png

 

When the bug ID refers to "resigning the cert", they should have said "revoke the cert" and re-issue a new cert that includes the Digital Signature in the Key Usage field. If you stick with the Windows Server CA basic template "web server" you can't go wrong.

 

 

 

Hello Arne,

Let me give this a go and see if I can solve this.

Side Note: We are planning an upgrade to ISE v3.2 patch 6.  We can't upgrade to v3.3 patch 2 since our WLC 9800s are running v17.9.5 which hasn't been approved for use with ISE v3.3 yet as per Cisco documentation & TAC Case.  They are testing/getting ready to test this combination as per TAC.

So, with that in mind, if I can't fix this then the upgrade will do it for me.  Thank you for your reply, sir!