Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1370
Views
8
Helpful
3
Replies

ISE CSR not being displayed

Go to solution
tmoore
Level 1
Level 1

‎09-23-2014 07:20 AM - edited ‎03-10-2019 10:03 PM

I have an ISE Primary Monitor node that the Server Certificate has expired.  I generated a new CSR and it reported that it was created and could be viewed under the Certificate Signing Requests tab but it never showed up.  Tried to re-generate but it now states that it already exists.  Rebooted the device to see if that would fix the issue but the CSR is still not showing.  For a test I created another CSR using the ip address of the device as the CN; and again it reported that it could be viewed but is not being displayed under the CSR tab.  These are the log items when I created the initial CSR and what it shows when I tried to create another using the same CN. The version of ISE is 1.1.3.124.  I was able to create CSR and update Certificates on the Administration/Policy nodes.

 

237 INFO  2014-09-22 11:43:07,237  [http-443-29][] cpm.admin.infra.action.LocalCertAddAction- Certificate Signing Request DC-ISE-2_int_fhfa_gov#PID$_NAC3315-SVR_______$_VID$_V01$_SN$_KQ586M0____ was created successfully. 2014-09-22 11:43:16,

174 ERROR 2014-09-22 11:44:33,174  [http-443-29][] cpm.admin.infra.action.LocalCertAddAction- Unable to import certificate : com.cisco.cpm.infrastructure.certmgmt.api.CertMgmtException: Resource Name 'NAC Group:NAC:CertificateRequests:DC-ISE-2_int_fhfa_gov#PID$_NAC3315-SVR_______$_VID$_V01$_SN$_KQ586M0____' already exists. 2014-09-22 11:44:36,

Thanks

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎09-23-2014 11:02 PM

It has been a while since I have used that version of ISE but I recall having similar issue. The only way I believe we were told of removing this was to either re-image the box or get TAC involved where they can use root access and remove the "object" that is stuck in the database. A couple of things you could try doing:

1. Generate the CSR using another application such as open ssl

2. Try upgrading to ISE 1.2 and see if that clears the DB

 

Thank you for rating helpful posts!

View solution in original post

3 Replies 3

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎09-23-2014 11:02 PM

It has been a while since I have used that version of ISE but I recall having similar issue. The only way I believe we were told of removing this was to either re-image the box or get TAC involved where they can use root access and remove the "object" that is stuck in the database. A couple of things you could try doing:

1. Generate the CSR using another application such as open ssl

2. Try upgrading to ISE 1.2 and see if that clears the DB

 

Thank you for rating helpful posts!

Go to solution
tmoore
Level 1
Level 1
In response to nspasov

‎09-26-2014 04:24 AM

Tried generating another CSR from a different app but no success.

Opened a TAC case and was told that this is a bug CSCuh91639,  Worked with TAC engineer to have them go into the DB with root access on this node and the primary node to delete the CSR.  Also had de-register the ISE from the deployment and then reset the ISE to default setting to have it create a new self signed cert to allow re-registering the device into the deployment.  After this I was able to create a CSR and generate a cert from our CA.  

Will look into updating to 1.2 since this bug is fixed in that version.

 

Go to solution
jan.nielsen
Level 7
Level 7

‎09-26-2014 04:13 AM

Sometimes its as simple as using another browser, try firefox, ie or chrome and see if it turns up

0 Helpful
Customers Also Viewed These Support Documents