cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1050
Views
8
Helpful
6
Replies

ISE 1.1.1 Certificate Issue

Zohaib Hussain
Level 1
Level 1

I've an ISE deployment of two nodes. I generated a CSR, self signed it and bind it in the ISE. It was working fine. Now when i wanted to change the certificate with a new authority. I took the same CSR and signed it with different authority. But after uploading it to the ISE and deleting the old one, i'm still getting the same certificate when i do https. I deleted the old certificate from secondary node also and rejoined it. Even i restarted the ise appliance but still getting the old certificate from primary node.

Is this a bug or do i need to change something? I already seletected the new certificate for HTTPS and EAP authentications.

Thanks,

Zohaib

6 Replies 6

bikespace
Level 1
Level 1

Is the old cert gone from the cert store?
Make sure it's not knocking around somewhere.
I've seen similar, but deleted old cert and app stop ise, app start ise cured it.

Sent from Cisco Technical Support iPhone App

nspasov
Cisco Employee
Cisco Employee

Hmm that is very interesting. You can try this:

- Instead of deleting the old cert, just import the new cert and check the box to "override" the existing one for the HTTPS protocol. If successful the services on the affected node will restart.

Thanks for rating!

Zohaib Hussain
Level 1
Level 1

@bikespace

I checked all the locations in primary and secondary node but couldn't find the old one. After i deleted the old one, i did stop, start the ise app but same problem.

@Neno

That's what i did in the start, i didn't delete the old one, just override it with new one and stop start the ise app. It was still giving me the old cert, that's why i delete it.

It seems like the old cert is stored somewhere in the disk, which is ofcourse not accessbile. My last option would be to backup and factory default both boxes, restore and generate new certificates since the backup doesn't backup certs.

Thanks,

Zohaib

If you are having that much trouble with it I would recommend that you escalate it with TAC. They can provide you with a root patch which will give you root access to the system and the cert can be manually deleted that way. Otherwise if you backup the system and factory restore it you are risking of ending up at the same place where you started

Thanks for rating!

The issue was resolved after i install certificates signed by new CA server and restart both the boxes. After the restart every thing came to normal with only one certificate selected for EAP and HTTPS authentications.

I guess some internal process was hanged and it resolved after restart.

Thanks,

Zohaib

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: