Solved: Re: If you have generated the

scottcummins · ‎06-20-2017

My 3rd party cert expired on my ISE and I got another. I am just having a terrible time figuring out how to get it in and if I even have the correct type of cert

Rahul Govindan · ‎06-20-2017

If you have generated the certificate signing request (CSR) from the ISE and obtained the new certificate from a public CA (like GoDaddy), then all you need to do is go back to the CSR section on ISE and bind the new certificate with the cert generated. You can then change you Admin, EAP, portal certificate to the new one. You only need to do this on the Primary Admin.

If you have received the cert from elsewhere, it is a little more complicated. You need to have the certificate (.pem, .cer or .crt format) and also the private key. Sometimes, these 2 are combined into a single file format called pkcs12 (.p12 or .pfx). If you have it in this format, you need to use openssl to separate the certificate and key from the pkcs12 file. You can use the pkcs12 commands as below:

To get cert

openssl pkcs12 -in combined.pfx -out cert.pem -nodes -nokeys

To get key

openssl pkcs12 -in combined.pfx -out key.pem -nodes -nocerts

Reference:

https://www.sslshopper.com/article-most-common-openssl-commands.html

View solution in original post

johnd2310 · ‎06-20-2017

Hi,

What ise version are you using? You could start by looking at the following docs:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_e_man_cert.html

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_0111.html

thanks

John

**Please rate posts you find helpful**

scottcummins · ‎06-21-2017

gentlemen

I renewed the Cert with Go daddy, so I went to bind it with the CSR I get

There is one or more trusted certificate(s) with the same subject name and issuer but having a different serial number. Binding was aborted. For successful binding, you need to remove the other certificate(s) first.

When I try to delete out the old cert, I get

Could not delete the certificate because it is used by Admin, EAP, Portal.
For EAP, Admin and pxGrid certificate(s), assign those role(s) to different certificate(s) and try again.
For Portal certificate(s), change the portal configuration or assign the tag to a different certificate, and try again.

These are the certs listed under TRUSTED

VeriSign Class 3 Secure Server CA - G3

Enabled

Cisco Services
Infrastructure

6E CC 7A A5 A7 03 20 09 B8 CE BC F4 E9 52 D4 91

VeriSign Class 3 Secure Server CA - G3

VeriSign Class 3 Public Primary Certification Authority - G5

Sun, 7 Feb 2010

Fri, 7 Feb 2020

VeriSign Class 3 Public Primary Certification Authority - G5#

VeriSign Class 3 Public Primary Certification Authority - G5#00001

Enabled

Cisco Services
Infrastructure

18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A

VeriSign Class 3 Public Primary Certification Authority - G5

VeriSign Class 3 Public Primary Certification Authority - G5

Tue, 7 Nov 2006

Wed, 16 Jul 2036

Thawte Primary Root CA

Enabled

Cisco Services

34 4E D5 57 20 D5 ED EC 49 F4 2F CE 37 DB 2B 6D

thawte Primary Root CA

thawte Primary Root CA

Thu, 16 Nov 2006

Wed, 16 Jul 2036

Company NEW Chain

Enabled

Infrastructure

E5 6E 68 0A A4 1E 93 74

*.paytel.com

Go Daddy Secure Certificate Authority - G2

Tue, 29 Nov 2016

Mon, 2 Dec 2019

June_6_2016_ISE-CERT

Enabled

Infrastructure

60 E1 CD 12 8B 0A CA 71

*.paytel.com

Go Daddy Secure Certificate Authority - G2

Wed, 18 May 2016

Fri, 18 May 2018

Cisco Root CA M2

Enabled

Endpoints
Infrastructure

01

Cisco Root CA M2

Cisco Root CA M2

Mon, 12 Nov 2012

Thu, 12 Nov 2037

Cisco Root CA 2048

Disabled

Infrastructure

5F F8 7B 28 2B 54 DC 8D 42 A3 15 B5 68 C9 AD FF

Cisco Root CA 2048

Cisco Root CA 2048

Fri, 14 May 2004

Mon, 14 May 2029

Cisco Manufacturing CA SHA2

Enabled

Endpoints
Infrastructure

02

Cisco Manufacturing CA SHA2

Cisco Root CA M2

Mon, 12 Nov 2012

Thu, 12 Nov 2037

Cisco CA Manufacturing

Disabled

Infrastructure

6A 69 67 B3 00 00 00 00 00 03

Cisco Manufacturing CA

Cisco Root CA 2048

Fri, 10 Jun 2005

Mon, 14 May 2029

Certificate Services Root CA - ise01#00005

Enabled

Infrastructure
Endpoints

20 ED 48 C4 8D 43 40 8A 99 05 C2 4D 85 59 24 DE

Certificate Services Root CA - ise01

Certificate Services Root CA - ise01

Thu, 21 May 2015

Thu, 22 May 2025

Certificate Services OCSP Responder - ise01#00006

Enabled

Infrastructure

70 43 D6 C9 35 7C 45 3E AA 4F 74 D8 48 11 D0 14

Certificate Services OCSP Responder - ise01

Certificate Services Root CA - ise01

Thu, 21 May 2015

Fri, 22 May 2020

Certificate Services Endpoint Sub CA - ise01#00004

Enabled

Infrastructure
Endpoints

7B 07 01 A4 1A 70 45 EC B9 83 FB 13 AE 56 E9 D7

Certificate Services Endpoint Sub CA - ise01

Certificate Services Root CA - ise01

Thu, 21 May 2015

Fri, 22 May 2020

Baltimore CyberTrust Root#Baltimore CyberTrust Root#00003

Enabled

Cisco Services
Infrastructure

02 00 00 B9

Baltimore CyberTrust Root

Baltimore CyberTrust Root

Fri, 12 May 2000

Mon, 12 May 2025

3#NEW Company Trusted Chain

Enabled

Infrastructure

00

Go Daddy Class 2 Certification Authority

Go Daddy Class 2 Certification Authority

Tue, 29 Jun 2004

Thu, 29 Jun 2034

1#GoDaddy Cert Chain

Enabled

Infrastructure

03 01

Go Daddy Secure Certification Authority

Go Daddy Class 2 Certification Authority

Wed, 15 Nov 2006

Sun, 15 Nov 2026

Rahul Govindan · ‎06-21-2017

You seem to have the wildcard certificate in the trusted store. Chain name "Company NEW Chain"

Company NEW Chain

Enabled

Infrastructure

E5 6E 68 0A A4 1E 93 74

*.paytel.com

Go Daddy Secure Certificate Authority - G2

Tue, 29 Nov 2016

Mon, 2 Dec 2019


June_6_2016_ISE-CERT

Enabled

Infrastructure

60 E1 CD 12 8B 0A CA 71

*.paytel.com

Go Daddy Secure Certificate Authority - G2

Wed, 18 May 2016

Fri, 18 May 2018

These certs should not be in the trusted certificate section, but only in the system cert section. Delete any non-CA certificates from the trusted certificate section. You can recognize these certs by the "Issued to" name.

scottcummins · ‎06-22-2017

Rahul

I removed those certs from the Trusted and I am trying to load it but apparently I did not get a Private Key, So I need one

Rahul Govindan · ‎06-22-2017

Hi scottcummins,

If you generated the CSR from ISE, you do not need the Private Key. The ISE should already have the key. CSR generation involves the generation of the RSA keypair (private+public). The public key and other attributes is what constitutes the CSR that you send to the CA. Once signed by the CA, you have to bind that signed certificate in the CSR section on ISE.

Did you try binding the certificate after deleting the certificate from the trusted store?

scottcummins · ‎06-22-2017

Rahul

I tired to Bind it and the first warning I got was:

Only one system certificate can be used for EAP. Assigning EAP to this certificate will remove the assignment from another certificate.

Note: Make sure required Certificate Chain is imported under Trusted Certificates

I answered "Yes" and got

The certificate you are importing or generating matches an existing certificate. (Both certificates have the same subject.) If you proceed, the existing certificate will be replaced, and the new certificate will be given the same roles and Portal tag, if applicable, as the existing certificate.

Do you wish to replace the existing certificate?

I answered "Yes" and got

Certificate/Private Key validation failed.

I appreciate all your help, But I have no idea how to get the Cert loaded

Rahul Govindan · ‎06-22-2017

Looks like you have gotten further in the process. The key error here is "Certificate/Private Key validation failed."

This means that the CSR that you used does not link to the certificate that you tried to associate. You can create a new CSR on ISE and rekey the certificate that you had received from Godaddy (no cost associated). Godaddy will issue new certificates for you. If I recall correctly, you should receive 2 files:

1) gd-bundle-**** [This is the Godaddy Ca cert chain]

2) ISE cert, random name [ This is the certificate that you need to bind with CSR]

The process for renewing a certificate on Godady with a new CSR is documented in the link below. The link is written for an ASA, but once certificate renewal process on Godaddy is the same:

http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html#anc20

Hope this helps.

scottcummins · ‎06-22-2017

Thanks Rahul

I really appreciate your help. I will do that first thing tomorrow morning

scottcummins · ‎06-26-2017

Good day rahul

I tried to bind the CSR to the new re-keyed Certificate and select "admin" under "usage" and received this error.

Enabling Admin role for this certificate will cause an application server restart on the selected node.

Note: Make sure required Certificate Chain is imported under Trusted Certificates

I selected "OK" to continue and selected "EAP Authentication" and "Portal" and then receive this error.

Only one system certificate can be used for EAP. Assigning EAP to this certificate will remove the assignment from another certificate.

Note: Make sure required Certificate Chain is imported under Trusted Certificates

I again hit "OK" to bypass the error and select "Portal" and when I hit "Submit"

Certificate contains wildcard values in CN or SubjectAltName extension. Please confirm this is intended by clicking Yes.

Note: Enabling Admin role for this certificate will cause an application server restart on all deployment nodes. This will result in significant downtime for the system.

then I get the following:

You are attempting to import or generate a certificate whose subject matches the subject of an existing certificate on the same node. This is only permitted when you are replacing a certificate of the same role. Note that the subject is the concatenation of several fields (for example, CN, O, OU, etc.) You can create a unique subject by varying the values in these fields.

ranjeet.khileri · ‎09-18-2017

Pls import the certificate without usage and once it is installed then enable usage field.

Rahul Govindan · ‎06-20-2017

If you have generated the certificate signing request (CSR) from the ISE and obtained the new certificate from a public CA (like GoDaddy), then all you need to do is go back to the CSR section on ISE and bind the new certificate with the cert generated. You can then change you Admin, EAP, portal certificate to the new one. You only need to do this on the Primary Admin.

If you have received the cert from elsewhere, it is a little more complicated. You need to have the certificate (.pem, .cer or .crt format) and also the private key. Sometimes, these 2 are combined into a single file format called pkcs12 (.p12 or .pfx). If you have it in this format, you need to use openssl to separate the certificate and key from the pkcs12 file. You can use the pkcs12 commands as below:

To get cert

openssl pkcs12 -in combined.pfx -out cert.pem -nodes -nokeys

To get key

openssl pkcs12 -in combined.pfx -out key.pem -nodes -nocerts

Reference:

https://www.sslshopper.com/article-most-common-openssl-commands.html

magurwara · ‎02-10-2021

Hi Rahul,

Need clarification on your statement about obtaining the certificate from elsewhere. Does that apply to certificates obtained from a Microsoft Enterprise CA as well. I am trying to replace expiring certificates, used only for EAP Authentication.

I have got root and intermediate CA certs for the Microsoft Enterprise CA already in the Trusted Certificates on ISE.

I generated individual CSR's for multiple ISE nodes (2x policy and 2 x admin). The system admin generated the Certs (PKCS #7 Certificates (.p7b)). Binding the cert works fine on first policy and admin nodes. However, when I try to bind the other policy and/or admin nodes, I see the same message that the original post mentioned, i.e.:

The certificate you are importing or generating matches an existing certificate. (Both certificates have the same subject.) If you proceed, the existing certificate will be replaced, and the new certificate will be given the same roles and Portal tag, if applicable, as the existing certificate.

I am not sure what the impact of this would be so I am hesitant to go through with this on the 2nd set of nodes.

Any ideas?

Regards,

mag

magurwara · ‎02-12-2021

Hi All,

Just wanted to update for information.

My issue is resolved. In the end I proceeded with clicking YES on the alert message and it replaced the expiring certificate, as intended. The message is correct, as the new certificate was intended to replace the expiring one and had the same subject.

However, I am still not sure why the same message did not pop up when performing the same operation on the first two nodes.

Where can I go to ask about Certificates and ISE?