cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
834
Views
3
Helpful
2
Replies

Why is the PAN CA is not there?

ffadhilpi
Level 1
Level 1

Hi Forum,

I have 2 nodes a primary and a secondary. I'm deploying onboarding for byod but I'm having an issue where my primary PAN/PSN CA certs are not there. I check on the cli and the Cert authority service is running. See the attached image. the issue is that when users are redirected to the primary PSN for onboarding, the get an error regarding SSL session but when I disconnect the primary PSN and the user request goes to secondary PSN they work fine.

any advice is appreciated.

1 Accepted Solution

Accepted Solutions

Craig Hyps
Level 10
Level 10

Check the trust certificate store and verify if see the Root CA cert.  Depending on which node was Primary PAN at time of install, root CA may be on secondary PAN now.  You can create repository and run export internal CA certs from CLI (under 'application configure ise') and you will see all the cert certs and chain after export in CLI.  Check on both nodes.

View solution in original post

2 Replies 2

Craig Hyps
Level 10
Level 10

Check the trust certificate store and verify if see the Root CA cert.  Depending on which node was Primary PAN at time of install, root CA may be on secondary PAN now.  You can create repository and run export internal CA certs from CLI (under 'application configure ise') and you will see all the cert certs and chain after export in CLI.  Check on both nodes.

hslai
Cisco Employee
Cisco Employee

Adding to Craig's, it appears that your deployment's primary PAN changed the hostname before, because the common name of the root CA looks differently from either node.

As you are going to change the hostname again, I would suggest you to go ahead doing that and then replace the internal CA certificates, which will be single-root. See Generate Root CA and Subordinate CAs on the PAN and PSN