I was actually reading it before you posted, i am thankful for your help and I apologize for my ignorance of not reading it before I asked ( that's not me at all lol)

yes I have generated a self signing request and they emailed me two files:

Thawte Test CA Root certificate:

Thawte Trial Secure Server Intermediate CA:

they emailed these two files, actually it's a separate text.

I am actually trying to set it up with trial cert.

google: thawte trial ssl cert

they offer 21 day trial but I am going to digg a bit more to see whats goin on, can't seem to make it work.

if you have time it'd be nice if you could install it and post the solution.

If i figure it out i'll post the solution.

thanks alot

Thank you for your help once again, I think i will have to digg in.

Anyway as I was readying the documentation for CISCO ISE on page 382 of document: ise_ug1.1.1.pdf

The bolded word down there should be Certificate Store maybe?

Not sure if it's a typo.

" Adding a Certificate Authority Certificate

Note Before you add a certificate authority certificate, ensure that the certificate authority certificate resides

on the file system that is running the client browser.

Prerequisite:

Every ISE administrator account is assigned one or more administrative roles. To perform the operations

described in the following procedure, you must have the Super Admin or System Admin role assigned.

See Cisco ISE Admin Group Roles and Responsibilities for more information on the various

administrative roles and the privileges associated with each of them.

To add a certificate authority certificate, complete the following steps:

Step 1 Choose Administration > System > Certificates.

Step 2 From the Certificate Operations navigation pane on the left, click Certificate Authority Certificates.

The Certificate Authority Certificates page appears.

Step 3 Click Add.

The Import a new Trusted CA (Certificate Authority) Certificate page appears as shown in Figure 13-10 """

That is correct for the root certificate, my wording wasnt exact but that is correct.

For the local certificate you can use these steps - http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_cert.html#wp1103485

Tarik Admani
*Please rate helpful posts*

Hi all,

I generate a cert and use THAWT tiral version,I received the certificate as trial SSL certificate ,Trial Secure Server Intermediate CA and Test CA Root certificate which is totally three my problem now I am very new in certificate concept and I don’t know how to move forward: 

shall I do construct it as following details :

{Trial SSL certificate, followed by trial intermediate and followed by trial test root} and then save it in one file with .PEM extension

Or I have save each file individually with .pem extension.

Finally how I import this certificate to my ISE 1.2, which one should be to import to local certificates and which one to Certificate Store ?

Thanks

thanks Tarik,

should i do any things in Certificate Store?

I export that local certificate of the ISE and save it in the trusted store of the Client, but still receive the error “12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate”.

i dont want to uncheck the validate server certificate option from the client network profile.

please advise ?

Keep in mind regardless of a public or private certificate most clients will always prompt the user to accept the radius server warning on all initial 802.1x connections. The only device I have seen not present this prompt is the android.

The supplicant will always warn the end user that the identity for network authentication will be passed on to a radius server, the only way to hide this message by choosing to keep the validate server certificate option would be to use a group policy from GPMC on your microsoft environment where the identity is automatically set.

Tarik Admani
*Please rate helpful posts*

Still error shown “12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate”. Maybe i need to delete the a default, self-signed certificate after bind the new one?