cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3657
Views
10
Helpful
6
Replies

ISE - Certificate and mismatched private key

Hi,

Doing a upgrade on a ISE deployment I made a backup of all server certificate with the privet key, in case of..

On one of the policy nodes I wanted to try if 'application config-reset' would speed up the upgrade. (from 1.1.0 to 1.1.1 takes about 1h/node)

I did clear the configuration and after the node was upgrade I tried to import the certificate and private key but got an error:

key pair import failed: Mismatched private key.

After some testing back and forth I did a hash match in openssl and I see that it dose'nt match. I also tested the other 3 certificate with keys and they and it looks loike I got the same problem there. I tried to unpack the cert.zip file with diffrent unarchivers, same problem.

Anyone seen this before?

OSX:openssl x509 -noout -text -in newxxisepol2.pem | openssl md5

(stdin)= 8b8a00005e4245b4cb1e1b789d818413

OSX:openssl rsa -noout -modulus -in newxxisepol2.pvk | openssl md5

Enter pass phrase for newxxisepol2.pvk:

(stdin)= 498a4e136f7019a0f6f6d60129b0eb5d

Cheers

M

6 Replies 6

nickbettison
Level 1
Level 1

Hello,

Did you resolve?

I am seeing the same issue.... key import after an `application config-reset` fails. Certs checked and look ok:

linickx:certs nick$ openssl x509 -noout -modulus -in s.cer | openssl md5

f694b168f1e16b4163bd69c71b3af50d

linickx:certs nick$

linickx:certs nick$ openssl req -noout -modulus -in s.csr | openssl md5  

f694b168f1e16b4163bd69c71b3af50d

linickx:certs nick$

linickx:certs nick$ openssl rsa -noout -modulus -in s.key | openssl md5

f694b168f1e16b4163bd69c71b3af50d

linickx:certs nick$

rgds,

Nick

Hi Nick,

Yes I got the cert back on the ISE, i did a reload on the server and after that I could import the certificate again.

Not the best answer, a bit like banging an old telly, but it did trick for me.

Cheers

Thank's for getting back to me

A reboot didn't fix it, but I did find the problem... somehow I ended up with miss-matching openssl formats....

To generate my pri key I used:

> openssl genrsa -out s.key 2048

the CA issed me a certificate.p7b, which I converted for use with ISE:

> openssl pkcs7 -print_certs -in certificate.p7b -out s.cer

Using this s.key & s.cer together generated the "key pair import failed: Mismatched private key." error.

To fix, I standardised the files with:

> openssl rsa -in s.key -text  > private.pem

> openssl x509 -inform PEM -in s.cer > public.pem

Hopefull that'll help someone else in the future.

cheers,

Nick

bbosch4210
Level 1
Level 1

I too had this issue. I exported the certificate and private key prior to re-install. This generated a ZIP file.

When I tried to import, I got the mismatch error.

I think that the fix was to simply rename the .pem file to a .cer file after I unzipped.

I'm not 100% on this, but if someone has this issue, please try this and confirm.

Thanks

This brings up a good question. If you do a CSR in ISE is the private key accessible ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

>If you do a CSR in ISE is the private key accessible ?

Only after the certificate has been issued. i.e. the "local certificates" page allows export of pub/priv keypair via the export button, however the export button on the "Certificate Signing Requests" will only export the signing request.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: