Guest

Preview Tool

Cisco Bug: CSCus84706 - ISE shows internal error while adding cert if there's 2 cert same subj

Last Modified

Oct 12, 2018

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

1.3(0.876)

Description (partial)

Symptom:
If you have 2 certs with same subject name in certificate trust store, in the case for example that your CA Cert has been renewed but the old one is still valid, ISE will show internal error when adding certificate and PSC logs will show this exception:

com.cisco.cpm.infrastructure.certmgmt.api.CertMgmtException: Error occurred while deleting certificate from NSS DB: java.security.KeyStoreException: This PKCS11KeyStore does not support write capabilities

The certificate seems added correctly though.

Additionally, if you are importing a renewed certificate which is using the same private key of an existing certificate, the import will fail, and certificate will not be imported.

Conditions:
You have 2 certs with same subject name in certificate trust store

Related Community Discussions

Renew System Certificate in ISE and end-point
Hi, My customer has ISE 2.1 and the system certificate which used for EAP will be expired. The certificate is signed CA. Then, the end-point certificate also will be expired, as same as ISE system certificate. Actually, I'm not familiar with end-point certificate. I just know that the end-point certificate will be pushed by AD server when it will be expired or have been expired. I read the ISE guideline that I should renew the signed certificate before the old one expired. When the new signed certificate ...
Latest activity: Jul 30, 2018
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.