Solved: ISE can not Import Server Certificate

huang zhongwei · ‎08-14-2012

I want to use 802.1x EAP-TLS protocol authenticate client,then requested web server certificate from Microsoft 2003 CA server and saved it to my PC, when I open local Certificates>Import Server page in ISE , there is "Private Key File" item,but I don't know how generate this file.

In addition,after I Submit,ISE prompt "Unable to read certificate file - please be sure file is in PEM or DER format".

Anyone tell me how procedure I do,truly grateful.

kevink707 · ‎01-26-2018

I found the answer -- after you generate a CSR request you need to load the certificate on the "Certificate Signing Requests" page (by selecting Bind Certificate) rather than trying to import it as a new certificate on the "System Certificates" page.

Cisco could make this more intuitive.....

View solution in original post

Tarik Admani · ‎08-14-2012

Hi,

If you generated the CSR on the ISE node locally, you are choosing the wrong option. Please use the "Bind CA Signed Certificate" option instead. The private key is generated already when you created the CSR on the ISE.

As far as your 2nd question what are you doing to get this error? Are you generating a bogus private key file and trying to import this?

Thanks,

Tarik Admani
*Please rate helpful posts*

Venkatesh Attuluri · ‎07-18-2013

Steps for configuring certificate in ISE

Step 1 :Download the CA’s certificate

Step 2 :Trust the CA in ISE a. In ISE, go to Administration > System > Certificates > Certificates Authority Certificates

b. Add the CA certificate as a trusted certificate

Step 3: Create a certificate signing request (CSR)

Go to Administration > System > Certificates > Local Certificates, and click Add

b. Generate a certificate signing request

c. Export the CSR from Administration > System > Certificates > Certificate Signing Requests

d. Once saved, open the .PEM file with notepad and copy the entire contents to the clipboard.

Step 4: Submit the CSR to the CA for signing

Step 5: Bind the certificate to the signing request

a. In ISE, go to Administration > System > Certificates > Local Certificates and add the certificate by binding the certificate.

Step 6 :Confirm that the new ISE certificate is being used

a. Log out of ISE and close all browser windows

b. Reopen the browser and go to the ISE login page. Confirm that the browser is securing the https session using the new ISE certificate.

kevink707 · ‎01-26-2018

Can you clarify what you mean by, "Step 5: Bind the certificate to the signing request"? Note I am using ISE 2.3.

kevink707 · ‎01-26-2018

I found the answer -- after you generate a CSR request you need to load the certificate on the "Certificate Signing Requests" page (by selecting Bind Certificate) rather than trying to import it as a new certificate on the "System Certificates" page.

Cisco could make this more intuitive.....

mohannad87 · ‎01-01-2020

good.

when I`m trying to do Step 5: Bind the certificate to the signing request.

this error appear " Certificate path validation failed. make sure required Certificate chain is imported under Trusted Certificates "

Damien Miller · ‎01-01-2020

You need to import the root and any intermediate certificates that are in the certificate chain of the signed / generated certificate.

You do this under the "Trusted Certificates" menu/page on the primary admin node.

Analistaredes · ‎07-08-2023

My friend,

How can do it: Step 4: Submit the CSR to the CA for signing?

I am using 2.7 version ISE.

Greg Gibbs · ‎07-09-2023

See the information and examples provided in How To Implement Digital Certificates in ISE.

If there is something additional you are having trouble with, please provide more detail on what help you require.