Hello,
I replaced root CA. Than I removed all certs from previous old certification chain, including cert for pxGrid, which is preinstalled by installing ise node, it looks like this:
It is cert from Certificate Services Endpoint Sub CA.
For example ISE Messaging Service cert is replaced without any exporting csr and so on.
I do not know how to create now that cert which is created during installing ise node.
Hello @stayd
I don't know if there is a simpler way, but I did it via the ISE Certificate Provisioning Portal.
As you correctly pointed out, the Generate CSR for pxGrid creates only the CSR. If you then want the cert to be created by the ISE Internal CA system (Root CA -> Node CA -> Endpoint Sub CA) then you need to enable the Certificate Provisioning Portal. It's yet another ISE Portal that allows users to login and create certs - kind of like Windows Server CA certsrv.
Setting up the Portal is always a bit of a pain in my opinion, but I create an internal ISE user account, and then assign that account to also be an ISE Admin (Super Admin).
I create the Portal
I created a DNS isecertportal.rnlab.local entry for one of my PSNs
Then login to the Portal
Paste your CSR from earlier into the portal. It requires all the password stuff etc. but since you already have the Private key on your ISE, you can just fill in a dummy password - you won't need the Private Key. The result will be a cert file that you can bind to your ISE.
Hello Arne,
thank you for your tip. Finally I was able to return to this topic and I have tried your tip.
I had some setup issues about portal and RBAC for your and so on, but I could go through all of them successfuly.
I was not successful to perform this step at all.
First issue was with the size of key, by default (at least in 3.2) in CSR there is 4096 bit size of key, but it is not according to pxGrid certificate template. So I changed the size to 2096 and signature algorithm changed from default 384 to 256 bit.
But it gives me also error after clicking button Generate, but this time I see cert for endpoint, so it ends like cert issued to some endpoint with error.
According to Operations/Reports/Enpoints and Users/Manual Certififact Provisioning I got INTERNAL_SERVER_ERROR.
I could not even to finish binding cert to CSR.
So it does not work for some reason, internal server error is generic message and I do not see more.
I tried to find something in show logging and show logging application caservice.log, but nothing valuable regarding Internal Error.
2024-01-20 15:26:52,267 INFO [caservice-http-94442][[]] cisco.cpm.caservice.api.CaRestServer -:::::- Rest api request handling complete. Undeploying per-request CA Rest Server.
2024-01-20 15:26:52,514 INFO [CAService-Scep][[scep job 4a94ae1f79a7e2aa34e8c9604cc7fb1f51bf0bcb, 0x15f2ddd9, request, validation]] com.cisco.cpm.caservice.CrValidator -:::::- Choosing the provider based on the key type
2024-01-20 15:26:52,514 INFO [CAService-Scep][[scep job 4a94ae1f79a7e2aa34e8c9604cc7fb1f51bf0bcb, 0x15f2ddd9, request, validation]] com.cisco.cpm.caservice.CrValidator -:::::- Received key type is RSA
2024-01-20 15:26:52,549 INFO [CAService-Scep][[scep job 4a94ae1f79a7e2aa34e8c9604cc7fb1f51bf0bcb, 0x15f2ddd9, request, issuance]] com.cisco.cpm.caservice.CertificateAuthority -:::::- issuing Certificate Services Endpoint Certificate:
class [com.cisco.cpm.caservice.CaResultHolder] [1349148948]: result: [CA_OK]
subject [C=, L=, O=, OU=Certificate Services System Certificate, CN=X.Y.Z]
version [3]
serial [0x32f9c3f5-df74453b-afa87972-daa4335b]
validity [after [2024-01-19T15:26:52+0100] before [2026-01-19T15:26:52+0100]]
keyUsages [ digitalSignature nonRepudiation keyEncipherment ]
Any more tip or I will end up with TAC ?
There is also need to install patch 4 for 3.2, maybe during patching the system will release these missing certs for pxGrid, mabe not.
Hello again,
You're right - I kind of skipped over the CSR creation process in my worked example. Indeed, 4096 is the default and IMHO it's a bad default because nobody should be making RSA certs with this key length. It offers no post-quantum protection and all it does is waste CPU cycles. 2048 bit RSA has not been cracked - the closest they can get is around 800 bits - using an insane number of resources. Stick with RSA 2048. The alternative is Elliptic curve. But stick with RSA for now.
I can't tell from your response whether you failed to generate the CSR, or whether you failed to generate the cert in the Cert Portal?
Here is what I did in ISE 3.2 patch 4 - for one of my lab nodes.
It generates the CSR as a text file.
Then hop over the Cert Portal - login.
I want to "Generate a single certificate (with certificate signing request)
Paste the CSR from the text file
And the rest goes like this
MAC Address - don't enter anything.
Certificate Download Format - Cert in PEM format (the second option in the drop-down)
Choose a password - you won't need it, but the portal forces you to enter one. It's pointless because the private key is on your ISE node, and the portal doesn't have it. This password is only required if the Portal had generated the CSR itself. That's when you have the private and public RSA key. The private key is the one that then gets password protected.
If all goes well, the portal spits out two files
You upload the file (shown at the bottom) back into the ISE CSR page (Bind Certificate)
If you're getting internal errors at any stage and you followed these steps then perhaps the ISE node has issues. Have you tried stopping all the services and rebooting? Sometimes that fixes weird issues.
Patch 4 is pretty rock solid for me so far.
