Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4329
Views
13
Helpful
7
Replies

The Portal tag is already assigned to the following certificate(s)

Go to solution
Anthony O'Reilly
Level 3
Level 3

‎02-10-2022 10:25 AM

Hi,

 

I have Cisco ISE version 3.0 Patch 2.

 

The portal certificate is expiring in about 5 week time.

 

I need to Generate a CSR to replace this certificate with a newer one. I have added in all the info except that the friendly name has 2022 in it and the old cert does not.

 

When I check Submit, I get the following warning: 

  The Portal tag is already assigned to the following certificate(s). If you proceed, it will be removed from the existing    certificates, and affected portals will be restarted. Do you want to proceed?

                2022_Cert_Portal_ISE_01

 

I don't want to click "Yes" in case I cause an outage.

 

Any ideas?

 

Thanks

Anthony.

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Anthony O'Reilly
Level 3
Level 3
In response to Greg Gibbs

‎02-11-2022 01:21 AM

Hi Greg,

 

Thanks for your quick response. 

 

What I take from this is:

1. Generate a CSR, fill out all the fields I require but do not ticket the Portal option

2. When cert is returned from the CA, import it to ISE

3. Edit the imported cert and tick the Portal option. The service will restart but it may not be service affecting as this is instantaneous.

4. Delete old cert a few days later.

 

Do this step for both ISE appliances. We only have two ISE appliances and both certs are expiring on the same day.

 

Thanks

Anthony.

View solution in original post

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Anthony O'Reilly

‎02-14-2022 01:07 PM

@Anthony O'Reilly,

Creating a CSR requires the selection of a Usage. If you select the 'Multi-Use' Usage for the CSR, the procedure you describe will work. You would select the Portal usage and Tag at the time binding the signed cert to the CSR.

Alternatively, you could select Portal Usage and correct Portal Tag at the time of creating the CSR and ignore the warning (as it only applies at the time of binding the cert to the CSR, as I described in the previous post).

View solution in original post

7 Replies 7

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎02-10-2022 02:08 PM

The Portal Tag is not really part of the CSR or the certificate itself. It's just an internal mapping in ISE.

You can create the CSR with a new dummy Portal Tag to get the signed cert from your CA. Once you have the signed certificate, you can either:

  1. Specify the real Portal Tag when binding the certificate to the CSR, at which point the affected portals will be restarted
  2. Bind the certificate to the CSR using the dummy Portal Tag and edit the cert at a later date to move it to the real Portal Tag (at which point the affected portals will be restarted)

You should note that the portal restart happens very quickly and may not even be noticeable to end users. It is not the same as the ISE services restarting.

Go to solution
Aref Alsouqi
VIP
VIP
In response to Greg Gibbs

‎02-11-2022 01:15 AM

In case we click yes, would the existing portal remain with no certificate associated until the renewed one is bound?

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Aref Alsouqi

‎02-13-2022 02:35 PM

It didn't make sense that ISE would pull the cert off since it only supports HTTPS, so I tested it in my lab. As I suspected, the CSR creation itself does not pull the cert from the portals or restart the portal. It only moves the cert and restarts the portals using the same Tag when the certificate is bound to the CSR.

Go to solution
Aref Alsouqi
VIP
VIP
In response to Greg Gibbs

‎02-13-2022 03:18 PM

That's why I was wondering! Thanks for spending the time to lab this up and confirm.

0 Helpful

Go to solution
Anthony O'Reilly
Level 3
Level 3
In response to Greg Gibbs

‎02-11-2022 01:21 AM

Hi Greg,

 

Thanks for your quick response. 

 

What I take from this is:

1. Generate a CSR, fill out all the fields I require but do not ticket the Portal option

2. When cert is returned from the CA, import it to ISE

3. Edit the imported cert and tick the Portal option. The service will restart but it may not be service affecting as this is instantaneous.

4. Delete old cert a few days later.

 

Do this step for both ISE appliances. We only have two ISE appliances and both certs are expiring on the same day.

 

Thanks

Anthony.

Go to solution
Anthony O'Reilly
Level 3
Level 3

‎02-14-2022 01:26 AM

Hi Greg,

 

Am I right in my thinking here?

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Anthony O'Reilly

‎02-14-2022 01:07 PM

@Anthony O'Reilly,

Creating a CSR requires the selection of a Usage. If you select the 'Multi-Use' Usage for the CSR, the procedure you describe will work. You would select the Portal usage and Tag at the time binding the signed cert to the CSR.

Alternatively, you could select Portal Usage and correct Portal Tag at the time of creating the CSR and ignore the warning (as it only applies at the time of binding the cert to the CSR, as I described in the previous post).

Customers Also Viewed These Support Documents