Hi

Thanks I already tried that.

The CSR was created on an ISE node.

I was creating two CSRs for the EAP roles on the two PSNs. And the idea was to have the EAP cert signed by the ISE Internal CA, so that I can hand out the ISE Internal Root CA cert to clients. No matter which PSN is used, the client will trust both. This customer has no PKI, therefore it seemed that the ISE CA was ideal.

The first CSR was accepted by the pxGrid certificate generator and it produced a cert that I was able to bind to ISE01. But it's ISE02 that I am having issues with. I created another CSR just for ISE02 but each time I get this .zip error, and the cert is created (but I cannot access it) - all the fields look correct when I view the cert details.

The weird thing is that the cert is always generated correctly and I can see it in the issued Certificates list. It seems like a bug in the packaging of the .zip file.  I have never seen such an error and I have created a lot of certs on the internal ISE CA.

I have also stopped and rebooted both nodes - made no difference - still same .zip error.

@Andrii Oliinyk  - sadly not - I can view or revoke the cert. When I view, there are no further options. Not even a BASE64 format that  I could copy and paste.

i have the issue , certificate chain was created correctly but the " zip " process keeps fail , and i am not unable to download it .

is there a way to do that with cli?

Certificates cannot be managed via the CLI. If you're having issues generating certificates from the internal CA for supported BYOD/pxGrid use cases, you might try another browser and regenerating the CA Root Chain from the Generate CSR menu.

If you're still having issues, I would suggest opening a TAC case.

wow I hadn't thought of that - I will check - but ISE should not allow more than one Root CA to be in place.