06-20-2017 10:02 AM - edited 02-21-2020 06:11 AM
My 3rd party cert expired on my ISE and I got another. I am just having a terrible time figuring out how to get it in and if I even have the correct type of cert
Solved! Go to Solution.
06-20-2017 10:32 AM
If you have generated the certificate signing request (CSR) from the ISE and obtained the new certificate from a public CA (like GoDaddy), then all you need to do is go back to the CSR section on ISE and bind the new certificate with the cert generated. You can then change you Admin, EAP, portal certificate to the new one. You only need to do this on the Primary Admin.
If you have received the cert from elsewhere, it is a little more complicated. You need to have the certificate (.pem, .cer or .crt format) and also the private key. Sometimes, these 2 are combined into a single file format called pkcs12 (.p12 or .pfx). If you have it in this format, you need to use openssl to separate the certificate and key from the pkcs12 file. You can use the pkcs12 commands as below:
To get cert
openssl pkcs12 -in combined.pfx -out cert.pem -nodes -nokeys
To get key
openssl pkcs12 -in combined.pfx -out key.pem -nodes -nocerts
Reference:
https://www.sslshopper.com/article-most-common-openssl-commands.html
06-20-2017 10:22 AM
Hi,
What ise version are you using? You could start by looking at the following docs:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_e_man_cert.html
http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_0111.html
thanks
John
06-21-2017 01:19 PM
gentlemen
I renewed the Cert with Go daddy, so I went to bind it with the CSR I get
06-21-2017 02:59 PM
You seem to have the wildcard certificate in the trusted store. Chain name "Company NEW Chain"
Company NEW Chain
Enabled
Infrastructure
E5 6E 68 0A A4 1E 93 74
*.paytel.com
Go Daddy Secure Certificate Authority - G2
Tue, 29 Nov 2016
Mon, 2 Dec 2019
June_6_2016_ISE-CERT
Enabled
Infrastructure
60 E1 CD 12 8B 0A CA 71
*.paytel.com
Go Daddy Secure Certificate Authority - G2
Wed, 18 May 2016
Fri, 18 May 2018
These certs should not be in the trusted certificate section, but only in the system cert section. Delete any non-CA certificates from the trusted certificate section. You can recognize these certs by the "Issued to" name.
06-22-2017 10:29 AM
Rahul
I removed those certs from the Trusted and I am trying to load it but apparently I did not get a Private Key, So I need one
06-22-2017 10:51 AM
Hi scottcummins,
If you generated the CSR from ISE, you do not need the Private Key. The ISE should already have the key. CSR generation involves the generation of the RSA keypair (private+public). The public key and other attributes is what constitutes the CSR that you send to the CA. Once signed by the CA, you have to bind that signed certificate in the CSR section on ISE.
Did you try binding the certificate after deleting the certificate from the trusted store?
06-22-2017 12:45 PM
Rahul
I tired to Bind it and the first warning I got was:
Only one system certificate can be used for EAP. Assigning EAP to this certificate will remove the assignment from another certificate.
Note: Make sure required Certificate Chain is imported under Trusted Certificates
I answered "Yes" and got
The certificate you are importing or generating matches an existing certificate. (Both certificates have the same subject.) If you proceed, the existing certificate will be replaced, and the new certificate will be given the same roles and Portal tag, if applicable, as the existing certificate.
Do you wish to replace the existing certificate?
I answered "Yes" and got
Certificate/Private Key validation failed.
I appreciate all your help, But I have no idea how to get the Cert loaded
06-22-2017 12:53 PM
Looks like you have gotten further in the process. The key error here is "Certificate/Private Key validation failed."
This means that the CSR that you used does not link to the certificate that you tried to associate. You can create a new CSR on ISE and rekey the certificate that you had received from Godaddy (no cost associated). Godaddy will issue new certificates for you. If I recall correctly, you should receive 2 files:
1) gd-bundle-**** [This is the Godaddy Ca cert chain]
2) ISE cert, random name [ This is the certificate that you need to bind with CSR]
The process for renewing a certificate on Godady with a new CSR is documented in the link below. The link is written for an ASA, but once certificate renewal process on Godaddy is the same:
http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html#anc20
Hope this helps.
06-22-2017 03:28 PM
Thanks Rahul
I really appreciate your help. I will do that first thing tomorrow morning
06-26-2017 07:21 AM
Good day rahul
I tried to bind the CSR to the new re-keyed Certificate and select "admin" under "usage" and received this error.
Enabling Admin role for this certificate will cause an application server restart on the selected node.
Note: Make sure required Certificate Chain is imported under Trusted Certificates
I selected "OK" to continue and selected "EAP Authentication" and "Portal" and then receive this error.
Only one system certificate can be used for EAP. Assigning EAP to this certificate will remove the assignment from another certificate.
Note: Make sure required Certificate Chain is imported under Trusted Certificates
I again hit "OK" to bypass the error and select "Portal" and when I hit "Submit"
Certificate contains wildcard values in CN or SubjectAltName extension. Please confirm this is intended by clicking Yes.
Note: Enabling Admin role for this certificate will cause an application server restart on all deployment nodes. This will result in significant downtime for the system.
then I get the following:
09-18-2017 06:39 PM
Pls import the certificate without usage and once it is installed then enable usage field.
06-20-2017 10:32 AM
If you have generated the certificate signing request (CSR) from the ISE and obtained the new certificate from a public CA (like GoDaddy), then all you need to do is go back to the CSR section on ISE and bind the new certificate with the cert generated. You can then change you Admin, EAP, portal certificate to the new one. You only need to do this on the Primary Admin.
If you have received the cert from elsewhere, it is a little more complicated. You need to have the certificate (.pem, .cer or .crt format) and also the private key. Sometimes, these 2 are combined into a single file format called pkcs12 (.p12 or .pfx). If you have it in this format, you need to use openssl to separate the certificate and key from the pkcs12 file. You can use the pkcs12 commands as below:
To get cert
openssl pkcs12 -in combined.pfx -out cert.pem -nodes -nokeys
To get key
openssl pkcs12 -in combined.pfx -out key.pem -nodes -nocerts
Reference:
https://www.sslshopper.com/article-most-common-openssl-commands.html
02-10-2021 08:59 PM
Hi Rahul,
Need clarification on your statement about obtaining the certificate from elsewhere. Does that apply to certificates obtained from a Microsoft Enterprise CA as well. I am trying to replace expiring certificates, used only for EAP Authentication.
I have got root and intermediate CA certs for the Microsoft Enterprise CA already in the Trusted Certificates on ISE.
I generated individual CSR's for multiple ISE nodes (2x policy and 2 x admin). The system admin generated the Certs (PKCS #7 Certificates (.p7b)). Binding the cert works fine on first policy and admin nodes. However, when I try to bind the other policy and/or admin nodes, I see the same message that the original post mentioned, i.e.:
The certificate you are importing or generating matches an existing certificate. (Both certificates have the same subject.) If you proceed, the existing certificate will be replaced, and the new certificate will be given the same roles and Portal tag, if applicable, as the existing certificate.
I am not sure what the impact of this would be so I am hesitant to go through with this on the 2nd set of nodes.
Any ideas?
Regards,
mag
02-12-2021 02:24 AM
Hi All,
Just wanted to update for information.
My issue is resolved. In the end I proceeded with clicking YES on the alert message and it replaced the expiring certificate, as intended. The message is correct, as the new certificate was intended to replace the expiring one and had the same subject.
However, I am still not sure why the same message did not pop up when performing the same operation on the first two nodes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide