Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
459
Views
0
Helpful
0
Replies

OK, ISE.. where have you hidden the Endpoint RA certs

mamckenn
Level 1
Level 1

‎03-30-2018 01:44 PM - edited ‎02-21-2020 10:52 AM

My 4 node ISE deployment is working fine as a CA for cert based authz with anyconnect + ASA.

I cannot get SCEP working however.. whenever I try to configure one of my PSNs in my 'enroll' connection profile, i get an error complaining that there is a  non resident Endpoint RA cert being presented along with the Endpoint sub CA cert (which is resident as i have installed it in the ASA's trusted cert store)

 

Problem is, i can't install the RA cert in the ASA, because it doesn't exist in ISE's CA cert list.. for any of my nodes. ISE is definately presentig this cert to the ASA as it's cn is for my PSN, and even has a serial number.. this is from the error message on the ASA (serial number removed):

NON-RESIDENT CERT: serial: [serial number], subject: cn=Certificate Services Endpoint RA - ISEPSN-01

 

So ISE has this cert somewhere, but where? I have looked through every cert store for that serial number, or anything that refers to RA - nothing.

 

thanks

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents