01-30-2013 11:32 AM - edited 03-10-2019 08:02 PM
Hi,
Doing a upgrade on a ISE deployment I made a backup of all server certificate with the privet key, in case of..
On one of the policy nodes I wanted to try if 'application config-reset' would speed up the upgrade. (from 1.1.0 to 1.1.1 takes about 1h/node)
I did clear the configuration and after the node was upgrade I tried to import the certificate and private key but got an error:
key pair import failed: Mismatched private key.
After some testing back and forth I did a hash match in openssl and I see that it dose'nt match. I also tested the other 3 certificate with keys and they and it looks loike I got the same problem there. I tried to unpack the cert.zip file with diffrent unarchivers, same problem.
Anyone seen this before?
OSX:openssl x509 -noout -text -in newxxisepol2.pem | openssl md5
(stdin)= 8b8a00005e4245b4cb1e1b789d818413
OSX:openssl rsa -noout -modulus -in newxxisepol2.pvk | openssl md5
Enter pass phrase for newxxisepol2.pvk:
(stdin)= 498a4e136f7019a0f6f6d60129b0eb5d
Cheers
M
06-14-2013 06:33 AM
Hello,
Did you resolve?
I am seeing the same issue.... key import after an `application config-reset` fails. Certs checked and look ok:
linickx:certs nick$ openssl x509 -noout -modulus -in s.cer | openssl md5
f694b168f1e16b4163bd69c71b3af50d
linickx:certs nick$
linickx:certs nick$ openssl req -noout -modulus -in s.csr | openssl md5
f694b168f1e16b4163bd69c71b3af50d
linickx:certs nick$
linickx:certs nick$ openssl rsa -noout -modulus -in s.key | openssl md5
f694b168f1e16b4163bd69c71b3af50d
linickx:certs nick$
rgds,
Nick
06-14-2013 06:50 AM
Hi Nick,
Yes I got the cert back on the ISE, i did a reload on the server and after that I could import the certificate again.
Not the best answer, a bit like banging an old telly, but it did trick for me.
Cheers
06-14-2013 09:13 AM
Thank's for getting back to me
A reboot didn't fix it, but I did find the problem... somehow I ended up with miss-matching openssl formats....
To generate my pri key I used:
> openssl genrsa -out s.key 2048
the CA issed me a certificate.p7b, which I converted for use with ISE:
> openssl pkcs7 -print_certs -in certificate.p7b -out s.cer
Using this s.key & s.cer together generated the "key pair import failed: Mismatched private key." error.
To fix, I standardised the files with:
> openssl rsa -in s.key -text > private.pem
> openssl x509 -inform PEM -in s.cer > public.pem
Hopefull that'll help someone else in the future.
cheers,
Nick
08-02-2013 08:07 AM
I too had this issue. I exported the certificate and private key prior to re-install. This generated a ZIP file.
When I tried to import, I got the mismatch error.
I think that the fix was to simply rename the .pem file to a .cer file after I unzipped.
I'm not 100% on this, but if someone has this issue, please try this and confirm.
Thanks
08-02-2013 10:34 AM
This brings up a good question. If you do a CSR in ISE is the private key accessible ?
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
08-05-2013 02:39 AM
>If you do a CSR in ISE is the private key accessible ?
Only after the certificate has been issued. i.e. the "local certificates" page allows export of pub/priv keypair via the export button, however the export button on the "Certificate Signing Requests" will only export the signing request.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: