Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1188
Views
0
Helpful
4
Replies

Portals presenting wrong cert

Go to solution
Madura Malwatte
Level 4
Level 4

‎09-18-2018 10:39 PM

I have imported a wildcard certificate signed by our enterprise root CA into the system certificates list in ISE and its using this wildcard for the default portal certificate group, eap, admin, etc.

 

The default portal certificate group has the all the default portals and the new portals I have created listed under it. 

 

Screen Shot 2018-09-19 at 3.16.22 pm.jpg

 

However when I access a portal, lets say mydevices portal, I am presented with a self signed certificate issued to and by the PSN, instead of the cert chain that was issued by the root CA at the top level which is the wildcard system certificate.

 

Screen Shot 2018-09-19 at 3.23.31 pm.jpg

 

In Device Portal Management > My Devices > Portal Settings, the Certificate group tag is set for "default portal certificate group".  

 

Am I missing something?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Madura Malwatte
Level 4
Level 4
In response to ajc

‎09-19-2018 07:13 PM

Thanks. This is a distributed deployment, the nodes were already registered so when I updated the cert on the PAN and it was automatically pushed to the other nodes. But looks like this process may not have worked correctly, even though the GUI was showing wildcard cert for portals, admin, etc, the nodes were using their self-signed cert. I took everything off the wildcard, re-applied and re-synced manually which did the trick.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ajc
Level 7
Level 7

‎09-19-2018 01:47 PM

If you are NOT running PSN persona on that node where you installed the wildcard enterprise signed CA, then you will get that error. The same wildcard cert must be copied into each PSN. I do not know what ISE version are you running, what is your deployment, etc

0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to ajc

‎09-19-2018 07:13 PM

Thanks. This is a distributed deployment, the nodes were already registered so when I updated the cert on the PAN and it was automatically pushed to the other nodes. But looks like this process may not have worked correctly, even though the GUI was showing wildcard cert for portals, admin, etc, the nodes were using their self-signed cert. I took everything off the wildcard, re-applied and re-synced manually which did the trick.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-19-2018 01:54 PM

The admin portal is using the same certificate so it should have already restarted once. This certificate thing is tricky, so another restart might help or reloading the O/S.
0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Jason Kunst

‎09-19-2018 07:01 PM

Hi Jason, thanks for pointing me in the right direction. I had previously updated the wildcard cert and imported again into the PAN, after deleting the old wildcard from all the nodes. Since my other nodes were already registered at that point, the wildcard cert showed up automatically on the other nodes (view from system certificates tab) and the usage was correct. 

 

What I did now was move the portals, admin, eap, etc to the self signed cert on all the nodes, then moved them back over to the wildcard cert and issued a re-sync on those nodes. This has fixed the issue. I'm getting the correct cert presented on the portals by the PSN.

0 Helpful
Customers Also Viewed These Support Documents