Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
657
Views
0
Helpful
3
Replies

pxGrid CSR Fulfillment from Internal ISE CA

Go to solution
paul
Level 10
Level 10

‎06-26-2017 03:33 PM

I am trying to get my pxGrid client certs issued from the Internal ISE CA.  I have done this before with external CAs handling the pxGrid client certs, but trying to lab up using the Internal CA.

I have a fresh build ISE 2.2 deployment with patch 1 running in my lab environment.  It is a 3 deployment, two Admin/M&T and one PSN also running pxGrid.   The pxGrid certs are running from Internal CA issued certs.

Capture.JPG

The pxGrid itself is looking great.

Capture.JPG

But when I try to request a pxGrid client cert:

Capture.JPG

I get the following error.

Capture.JPG

I am sure I am missing something silly, but can't see what it is.  Not sure how to troubleshoot this further.

Thanks in advance for the advise.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to hslai

‎06-26-2017 06:53 PM

Interesting. I did more testing. If I generate a CSR either in ISE or with OpenSSL and submit the CSR request to the internal CA on that same page I get a cert no problem. It is only when I try to do it without a CSR meaning ISE needs to generate a private key, generate the CSR, submit the CSR and get the cert back.

Hmm… I can live with the CSR submission method if I have to. I will test on the customers deployment tomorrow.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

View solution in original post

0 Helpful
3 Replies 3

Go to solution
hslai
Cisco Employee
Cisco Employee

‎06-26-2017 06:18 PM

1) Is this continuing failing in repeated attempts?

2) Are you able to use internal CA to issue regular endpoint certificates?

If (1) -> yes and (2) no, then I would suggest to try replacing the cert chain -- Generate Root CA and Subordinate CAs on the PAN and PSN

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to hslai

‎06-26-2017 06:47 PM

Yes continually failing. After I put all my nodes together into a deployment and blew away all of the CA certs (deleted not deleted and revoked). Then I reinstalled the root chain which installed the whole CA cert structure into my deployment with my primary admin node as the root.

Is there an easy way to test endpoint cert issuance without doing a client provisioning setup?

Also, I can’t remember do any of the CA certs need to be in ISE’s trusted cert store? I didn’t think so, but wasn’t sure. pxGrid came up just fine without any of them in there.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to hslai

‎06-26-2017 06:53 PM

Interesting. I did more testing. If I generate a CSR either in ISE or with OpenSSL and submit the CSR request to the internal CA on that same page I get a cert no problem. It is only when I try to do it without a CSR meaning ISE needs to generate a private key, generate the CSR, submit the CSR and get the cert back.

Hmm… I can live with the CSR submission method if I have to. I will test on the customers deployment tomorrow.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful
Customers Also Viewed These Support Documents