Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ise cert

When I generate a cert and use THAWT tiral version to try out the cert, the request as I copy - paste it says:

The CSR must include an Organization Name.

I am using ISE 1.1.1

https://ssl-certificate-center.thawte.com/process/retail/trial_product_selector;jsessionid=05DB2EB1E2E8FD67154B46999D600182?uid=f7293ccbbdb28c74c6a817943e96b3bd&locale=THAWTE_US

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions

ise cert

Hi,

Please use this guide to generate the csr, i could not view the link that you posted above. Do you have a screenshot of the error, also a screenshot of the csr details?

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_cert.html#wp1077292

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*

ise cert

Not a problem,

what you will do is save the files according. One file you can save as certificate.cer, and the other root certificate as root.cer

You will upload the root certificate first in the CA store and then upload the certificate.cer in the local certificate store. Let me know if you need help with that.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
12 REPLIES

ise cert

Hi,

Please use this guide to generate the csr, i could not view the link that you posted above. Do you have a screenshot of the error, also a screenshot of the csr details?

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_cert.html#wp1077292

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ise cert

I was actually reading it before you posted, i am thankful for your help and I apologize for my ignorance of not reading it before I asked ( that's not me at all lol)

yes I have generated a self signing request and they emailed me two files:

Thawte Test CA Root certificate:

Thawte Trial Secure Server Intermediate CA:

they emailed these two files, actually it's a separate text.

New Member

Re: ise cert

I am actually trying to set it up with trial cert.

google: thawte trial ssl cert

they offer 21 day trial but I am going to digg a bit more to see whats goin on, can't seem to make it work.

if you have time it'd be nice if you could install it and post the solution.

If i figure it out i'll post the solution.

thanks alot

ise cert

Not a problem,

what you will do is save the files according. One file you can save as certificate.cer, and the other root certificate as root.cer

You will upload the root certificate first in the CA store and then upload the certificate.cer in the local certificate store. Let me know if you need help with that.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: ise cert

Thank you for your help once again, I think i will have to digg in.

Anyway as I was readying the documentation for CISCO ISE on page 382 of document: ise_ug1.1.1.pdf

The bolded word down there should be Certificate Store maybe?

Not sure if it's a typo.

" Adding a Certificate Authority Certificate

Note Before you add a certificate authority certificate, ensure that the certificate authority certificate resides

on the file system that is running the client browser.

Prerequisite:

Every ISE administrator account is assigned one or more administrative roles. To perform the operations

described in the following procedure, you must have the Super Admin or System Admin role assigned.

See Cisco ISE Admin Group Roles and Responsibilities for more information on the various

administrative roles and the privileges associated with each of them.

To add a certificate authority certificate, complete the following steps:

Step 1 Choose Administration > System > Certificates.

Step 2 From the Certificate Operations navigation pane on the left, click Certificate Authority Certificates.

The Certificate Authority Certificates page appears.

Step 3 Click Add.

The Import a new Trusted CA (Certificate Authority) Certificate page appears as shown in Figure 13-10 """

ise cert

That is correct for the root certificate, my wording wasnt exact but that is correct.

For the local certificate you can use these steps - http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_cert.html#wp1103485

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: ise cert

Hi all,

I generate a cert and use THAWT tiral version,I received the certificate as trial SSL certificate ,Trial Secure Server Intermediate CA and Test CA Root certificate which is totally three my problem now I am very new in certificate concept and I don’t know how to move forward: 

shall I do construct it as following details :

{Trial SSL certificate, followed by trial intermediate and followed by trial test root} and then save it in one file with .PEM extension

Or I have save each file individually with .pem extension.

Finally how I import this certificate to my ISE 1.2, which one should be to import to local certificates and which one to Certificate Store ?

Thanks

Re:ise cert

Method one is correct. You will need to bind and not import if you generated the certificate signing request on the ise server.


Sent from Cisco Technical Support Android App

Tarik Admani *Please rate helpful posts*
New Member

Re: ise cert

thanks Tarik,

should i do any things in Certificate Store?

New Member

ise cert

I export that local certificate of the ISE and save it in the trusted store of the Client, but still receive the error “12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate”.

i dont want to uncheck the validate server certificate option from the client network profile.

please advise ?

ise cert

Keep in mind regardless of a public or private certificate most clients will always prompt the user to accept the radius server warning on all initial 802.1x connections. The only device I have seen not present this prompt is the android.

The supplicant will always warn the end user that the identity for network authentication will be passed on to a radius server, the only way to hide this message by choosing to keep the validate server certificate option would be to use a group policy from GPMC on your microsoft environment where the identity is automatically set.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ise cert

Still error shown “12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate”. Maybe i need to delete the a default, self-signed certificate after bind the new one?

1132
Views
0
Helpful
12
Replies
CreatePlease login to create content