cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
891
Views
0
Helpful
6
Replies

Restore pxGrid build-in certificate which is there after installing

stayd
Level 1
Level 1

Hello,

I replaced root CA. Than I removed all certs from previous old certification chain, including cert for pxGrid, which is preinstalled by installing ise node, it looks like this:

stayd_0-1697476854815.png

It is cert from Certificate Services Endpoint Sub CA.

For example ISE Messaging Service cert is replaced without any exporting csr and so on.

I do not know how to create now that cert which is created during installing ise node.

6 Replies 6

Arne Bier
VIP
VIP

Have you tried to generate a Signing Request?

ArneBier_0-1697488923358.png

 

stayd
Level 1
Level 1

Yes, and than where is the interface of Certificate Services Endpoint Sub CA where can I give the generated csr file and get final cert ?

In case of ISE Messaging Service, it is done without any exporting csr and so on. Here it is good for external CA, to export csr, sign and bind back signed csr with private key. For this method everything is fine, everything is in documantation.

What is missing and I am asking how to get those build-in certs from internal Endpoint Sub CA ?

Arne Bier
VIP
VIP

Hello @stayd 

I don't know if there is a simpler way, but I did it via the ISE Certificate Provisioning Portal.

As you correctly pointed out, the Generate CSR for pxGrid creates only the CSR. If you then want the cert to be created by the ISE Internal CA system (Root CA -> Node CA -> Endpoint Sub CA) then you need to enable the Certificate Provisioning Portal. It's yet another ISE Portal that allows users to login and create certs - kind of like Windows Server CA certsrv.

Setting up the Portal is always a bit of a pain in my opinion, but I create an internal ISE user account, and then assign that account to also be an ISE Admin (Super Admin).

ArneBier_0-1697496448382.png

ArneBier_1-1697496496515.png

 

I create the Portal 

ArneBier_2-1697496559763.png

ArneBier_3-1697496610745.png

I created a DNS isecertportal.rnlab.local entry for one of my PSNs 

 

Then login to the Portal

ArneBier_4-1697496699785.png

ArneBier_5-1697496761075.png

Paste your CSR from earlier into the portal. It requires all the password stuff etc. but since you already have the Private key on your ISE, you can just fill in a dummy password - you won't need the Private Key. The result will be a cert file that you can bind to your ISE.

 

ArneBier_6-1697496908809.png

 

 

 

 

 

 

 

Hello Arne,

thank you for your tip. Finally I was able to return to this topic and I have tried your tip.

I had some setup issues about portal and RBAC for your and so on, but I could go through all of them successfuly.

I was not successful to perform this step at all.

First issue was with the size of key, by default (at least in 3.2) in CSR there is 4096 bit size of key, but it is not according to pxGrid certificate template. So I changed the size to 2096 and signature algorithm changed from default 384 to 256 bit.

stayd_0-1705761590205.png

But it gives me also error after clicking button Generate, but this time I see cert for endpoint, so it ends like cert issued to some endpoint with error.

According to Operations/Reports/Enpoints and Users/Manual Certififact Provisioning I got INTERNAL_SERVER_ERROR.

stayd_1-1705761894355.png

I could not even to finish binding cert to CSR.

So it does not work for some reason, internal server error is generic message and I do not see more.

I tried to find something in show logging and show logging application caservice.log, but nothing valuable regarding Internal Error.

2024-01-20 15:26:52,267 INFO [caservice-http-94442][[]] cisco.cpm.caservice.api.CaRestServer -:::::- Rest api request handling complete. Undeploying per-request CA Rest Server.
2024-01-20 15:26:52,514 INFO [CAService-Scep][[scep job 4a94ae1f79a7e2aa34e8c9604cc7fb1f51bf0bcb, 0x15f2ddd9, request, validation]] com.cisco.cpm.caservice.CrValidator -:::::- Choosing the provider based on the key type
2024-01-20 15:26:52,514 INFO [CAService-Scep][[scep job 4a94ae1f79a7e2aa34e8c9604cc7fb1f51bf0bcb, 0x15f2ddd9, request, validation]] com.cisco.cpm.caservice.CrValidator -:::::- Received key type is RSA
2024-01-20 15:26:52,549 INFO [CAService-Scep][[scep job 4a94ae1f79a7e2aa34e8c9604cc7fb1f51bf0bcb, 0x15f2ddd9, request, issuance]] com.cisco.cpm.caservice.CertificateAuthority -:::::- issuing Certificate Services Endpoint Certificate:
class [com.cisco.cpm.caservice.CaResultHolder] [1349148948]: result: [CA_OK]
subject [C=, L=, O=, OU=Certificate Services System Certificate, CN=X.Y.Z]
version [3]
serial [0x32f9c3f5-df74453b-afa87972-daa4335b]
validity [after [2024-01-19T15:26:52+0100] before [2026-01-19T15:26:52+0100]]
keyUsages [ digitalSignature nonRepudiation keyEncipherment ]

Any more tip or I will end up with TAC ?

There is also need to install patch 4 for 3.2, maybe during patching the system will release these missing certs for pxGrid, mabe not.

Hello again,

You're right - I kind of skipped over the CSR creation process in my worked example. Indeed, 4096 is the default and IMHO it's a bad default because nobody should be making RSA certs with this key length. It offers no post-quantum protection and all it does is waste CPU cycles. 2048 bit RSA has not been cracked - the closest they can get is around 800 bits - using an insane number of resources. Stick with RSA 2048. The alternative is Elliptic curve. But stick with RSA for now.

I can't tell from your response whether you failed to generate the CSR, or whether you failed to generate the cert in the Cert Portal?

Here is what I did in ISE 3.2 patch 4 - for one of my lab nodes.

ArneBier_0-1705785751149.png

It generates the CSR as a text file.

Then hop over the Cert Portal - login.

I want to "Generate a single certificate (with certificate signing request)

Paste the CSR from the text file

ArneBier_1-1705785952884.png

And the rest goes like this

MAC Address - don't enter anything.

Certificate Download Format - Cert in PEM format (the second option in the drop-down)

Choose a password - you won't need it, but the portal forces you to enter one. It's pointless because the private key is on your ISE node, and the portal doesn't have it. This password is only required if the Portal had generated the CSR itself. That's when you have the private and public RSA key. The private key is the one that then gets password protected.

ArneBier_2-1705786059197.png

 

If all goes well, the portal spits out two files

ArneBier_3-1705786286706.png

You upload the file (shown at the bottom) back into the ISE CSR page (Bind Certificate)

ArneBier_4-1705786366970.png

 

If you're getting internal errors at any stage and you followed these steps then perhaps the ISE node has issues. Have you tried stopping all the services and rebooting? Sometimes that fixes weird issues.

Patch 4 is pretty rock solid for me so far.

 

 

 

 

>>If all goes well, the portal spits out two files

In my case this has never happen. I am not getting these 2 files.

Here I stopped with error.