Руководство По Устранению Ошибки для Cisco Cisco Identity Services Engine Express License Bundle
Cisco ISE uses SCEP protocol to support personal device registration (BYOD onboarding). When
using an external SCEP CA, this CA is defined by a SCEP RA profile on ISE. When a SCEP RA
Profile is created, two certificates are automatically added to the Trusted Certificates Store:
using an external SCEP CA, this CA is defined by a SCEP RA profile on ISE. When a SCEP RA
Profile is created, two certificates are automatically added to the Trusted Certificates Store:
CA root certificate,
●
RA (Registration Authority) certificate which is signed by the CA.
●
RA is responsible for receiving and validating the request from the registering device, and
forwarding it to the CA that issues the client certificate.
forwarding it to the CA that issues the client certificate.
When the RA certificate expires, it is not renewed automatically on the CA side (Windows Server
2012 in this example). That should be manually done by the Active Directory/CA administartor.
2012 in this example). That should be manually done by the Active Directory/CA administartor.
Here is the example how to achive that on Windows Server 2012 R2.
Initial SCEP certificates visible on ISE:
Assumption is that MSCEP-RA CERTIFICATE is expired and has to be renewed.
Solution
Caution: Any changes on Windows Server should be consulted with its administrator first.
1. Identify old private keys
Find privite keys associated with the RA certificates on the Active Directory using certutil tool.
After that locate Key Container.
After that locate Key Container.
Please note that if the name of your initial MSCEP-RA certificate is different then it should be