Cisco ISE: Certificate trust chain is incomplete

I’ve noticed an odd error where my public certificate had incomplete certificate chain. This may cause issues with PxGRID integration and BYOD provisioning.

Both Intermediate and root certificates were present in the trusted certificate store however there appeared to be 2 primary roots

and one of them obviously is incorrect braking the chain. So the easy way to find out which one is bad is to export your identity certificate and view chain on your computer.

Once exported, rename the file from PEM to CER extension and open it. Go to Certification Path to view complete chain. We see certificate and chain checked out ok.

Select Root certificate and record either Serial Number or Expiration date. Here we can see that correct root should have 7/16/2036 Expiration Date.

Checking back on ISE select root certificate and we see a different expiration date meaning root certificate is incorrect causing chain to be incomplete.

To fix it remove incorrect root certificate. Select it and delete under ISE Trusted Certificates page. Of course changes should be done in the Maintenance Window.

Once removed, the chain will appear as intact right away but it is strongly recommended to restart all ISE nodes anyway to rebuild it properly.

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar