Solved: Why is the PAN CA is not there?

ffadhilpi · ‎08-31-2017

Hi Forum,

I have 2 nodes a primary and a secondary. I'm deploying onboarding for byod but I'm having an issue where my primary PAN/PSN CA certs are not there. I check on the cli and the Cert authority service is running. See the attached image. the issue is that when users are redirected to the primary PSN for onboarding, the get an error regarding SSL session but when I disconnect the primary PSN and the user request goes to secondary PSN they work fine.

any advice is appreciated.

Craig Hyps · ‎09-01-2017

Check the trust certificate store and verify if see the Root CA cert. Depending on which node was Primary PAN at time of install, root CA may be on secondary PAN now. You can create repository and run export internal CA certs from CLI (under 'application configure ise') and you will see all the cert certs and chain after export in CLI. Check on both nodes.

View solution in original post

Craig Hyps · ‎09-01-2017

Check the trust certificate store and verify if see the Root CA cert. Depending on which node was Primary PAN at time of install, root CA may be on secondary PAN now. You can create repository and run export internal CA certs from CLI (under 'application configure ise') and you will see all the cert certs and chain after export in CLI. Check on both nodes.

hslai · ‎09-01-2017

Adding to Craig's, it appears that your deployment's primary PAN changed the hostname before, because the common name of the root CA looks differently from either node.

As you are going to change the hostname again, I would suggest you to go ahead doing that and then replace the internal CA certificates, which will be single-root. See Generate Root CA and Subordinate CAs on the PAN and PSN