Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE CSR not being displayed

I have an ISE Primary Monitor node that the Server Certificate has expired.  I generated a new CSR and it reported that it was created and could be viewed under the Certificate Signing Requests tab but it never showed up.  Tried to re-generate but it now states that it already exists.  Rebooted the device to see if that would fix the issue but the CSR is still not showing.  For a test I created another CSR using the ip address of the device as the CN; and again it reported that it could be viewed but is not being displayed under the CSR tab.  These are the log items when I created the initial CSR and what it shows when I tried to create another using the same CN. The version of ISE is 1.1.3.124.  I was able to create CSR and update Certificates on the Administration/Policy nodes.

 

237 INFO  2014-09-22 11:43:07,237  [http-443-29][] cpm.admin.infra.action.LocalCertAddAction- Certificate Signing Request DC-ISE-2_int_fhfa_gov#PID$_NAC3315-SVR_______$_VID$_V01$_SN$_KQ586M0____ was created successfully. 2014-09-22 11:43:16,

174 ERROR 2014-09-22 11:44:33,174  [http-443-29][] cpm.admin.infra.action.LocalCertAddAction- Unable to import certificate : com.cisco.cpm.infrastructure.certmgmt.api.CertMgmtException: Resource Name 'NAC Group:NAC:CertificateRequests:DC-ISE-2_int_fhfa_gov#PID$_NAC3315-SVR_______$_VID$_V01$_SN$_KQ586M0____' already exists. 2014-09-22 11:44:36,

Thanks

 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

It has been a while since I

It has been a while since I have used that version of ISE but I recall having similar issue. The only way I believe we were told of removing this was to either re-image the box or get TAC involved where they can use root access and remove the "object" that is stuck in the database. A couple of things you could try doing:

1. Generate the CSR using another application such as open ssl

2. Try upgrading to ISE 1.2 and see if that clears the DB

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
3 REPLIES
Cisco Employee

It has been a while since I

It has been a while since I have used that version of ISE but I recall having similar issue. The only way I believe we were told of removing this was to either re-image the box or get TAC involved where they can use root access and remove the "object" that is stuck in the database. A couple of things you could try doing:

1. Generate the CSR using another application such as open ssl

2. Try upgrading to ISE 1.2 and see if that clears the DB

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
New Member

Tried generating another CSR

Tried generating another CSR from a different app but no success.

Opened a TAC case and was told that this is a bug CSCuh91639,  Worked with TAC engineer to have them go into the DB with root access on this node and the primary node to delete the CSR.  Also had de-register the ISE from the deployment and then reset the ISE to default setting to have it create a new self signed cert to allow re-registering the device into the deployment.  After this I was able to create a CSR and generate a cert from our CA.  

Will look into updating to 1.2 since this bug is fixed in that version.

 

Sometimes its as simple as

Sometimes its as simple as using another browser, try firefox, ie or chrome and see if it turns up

109
Views
8
Helpful
3
Replies
CreatePlease login to create content