cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
740
Views
0
Helpful
3
Replies

pxGrid CSR Fulfillment from Internal ISE CA

paul
Level 10
Level 10

I am trying to get my pxGrid client certs issued from the Internal ISE CA.  I have done this before with external CAs handling the pxGrid client certs, but trying to lab up using the Internal CA.

I have a fresh build ISE 2.2 deployment with patch 1 running in my lab environment.  It is a 3 deployment, two Admin/M&T and one PSN also running pxGrid.   The pxGrid certs are running from Internal CA issued certs.

Capture.JPG

The pxGrid itself is looking great.

Capture.JPG

But when I try to request a pxGrid client cert:

Capture.JPG

I get the following error.

Capture.JPG

I am sure I am missing something silly, but can't see what it is.  Not sure how to troubleshoot this further.

Thanks in advance for the advise.

1 Accepted Solution

Accepted Solutions

Interesting. I did more testing. If I generate a CSR either in ISE or with OpenSSL and submit the CSR request to the internal CA on that same page I get a cert no problem. It is only when I try to do it without a CSR meaning ISE needs to generate a private key, generate the CSR, submit the CSR and get the cert back.

Hmm… I can live with the CSR submission method if I have to. I will test on the customers deployment tomorrow.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

View solution in original post

3 Replies 3

hslai
Cisco Employee
Cisco Employee

1) Is this continuing failing in repeated attempts?

2) Are you able to use internal CA to issue regular endpoint certificates?

If (1) -> yes and (2) no, then I would suggest to try replacing the cert chain -- Generate Root CA and Subordinate CAs on the PAN and PSN

Yes continually failing. After I put all my nodes together into a deployment and blew away all of the CA certs (deleted not deleted and revoked). Then I reinstalled the root chain which installed the whole CA cert structure into my deployment with my primary admin node as the root.

Is there an easy way to test endpoint cert issuance without doing a client provisioning setup?

Also, I can’t remember do any of the CA certs need to be in ISE’s trusted cert store? I didn’t think so, but wasn’t sure. pxGrid came up just fine without any of them in there.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Interesting. I did more testing. If I generate a CSR either in ISE or with OpenSSL and submit the CSR request to the internal CA on that same page I get a cert no problem. It is only when I try to do it without a CSR meaning ISE needs to generate a private key, generate the CSR, submit the CSR and get the cert back.

Hmm… I can live with the CSR submission method if I have to. I will test on the customers deployment tomorrow.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250