Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
ise-psc logs prints below excpetion when importing certificate, 2017-10-11 16:46:55,056 ERROR [admin-http-pool37][] cpm.infrastructure.certmgmt.impl.NSSKeyStoreUpdater -:admin::addLocalCert:- Error occurred while adding certificate to NSS DB: java.security.Key StoreException: This PKCS11KeyStore does not support write capabilities java.security.KeyStoreException: This PKCS11KeyStore does not support write capabilities at sun.security.pkcs11.P11KeyStore.checkWrite(P11KeyStore.java:2647) at sun.security.pkcs11.P11KeyStore.engineSetKeyEntry(P11KeyStore.java:432) at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
Certificates with same CN is uploaded to trusted certificate page, this adds duplicate certificates into the NSS db and causes write capabilities disabled.
Delete one of the certificate and restart app-server , make sure duplicate certificates are not added to the NSSdb. Note : Please make sure the certificate is not referred anywhere before deleting, especially in LDAP id store.
When checking the contents of NSS db we can see that it adds the duplicate certificates under same alias, [root@ISE21-11 nssdb]# for NAME in ; do if test "$NAME" != 'Certificate'; then echo 'Alias:' $NAME;certutil -d . -L -n $NAME|grep Subject:; fi; done; Alias: CERT-1N4g0F5m/FP+GlCILHjbKFLK5HQ=-33554617 Subject: "CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE" Alias: CERT-4+eD08ycMK7e/83rXs/uCP+PFoQ=-502515227628128633356291 Subject: "CN=Cisco Manufacturing CA,O=Cisco Systems" Alias: CERT-biXJrKiTf6c7mHd1VMmrxSd7GCI=-118923644449355074385592807812759729088 Subject: "CN=ise21p3.acs5devsj.com" Alias: CERT-UnRofn7Qn9RML6e+sJTeOyfcKig=-16740393543060094716 Subject: "CN=csacs5-lnx9,OU=SBG,O=Cisco,L=San Jose,ST=CA,C=US" Subject: "CN=csacs5-lnx9,OU=SBG,O=Cisco,L=San Jose,ST=CA,C=US" Alias: CERT-UnRofn7Qn9RML6e+sJTeOyfcKig=-16740393543060094716 Subject: "CN=csacs5-lnx9,OU=SBG,O=Cisco,L=San Jose,ST=CA,C=US" Subject: "CN=csacs5-lnx9,OU=SBG,O=Cisco,L=San Jose,ST=CA,C=US" Alias: CERT-TrbVeEmbHM9fWB6tVr49m2dEpeU=-33037644167568058970164719475676101450 Subject: "CN=VeriSign Class 3 Public Primary Certification Authority Alias: CERT-kLLga3rV2v/P1DGHKQnzgTdHG/g=-2 Subject: "CN=Cisco Manufacturing CA SHA2,O=Cisco" Alias: CERT-c/J9QqSdECVs1dZGGllyTIqjhJw=-1001 Subject: "CN=Server,O="Cisco Systems, Inc."" Alias: tomcat Subject: "CN=ISE21-11.acs5devsj.com" Alias: CERT-kcbW7j6KyGOE5UjCmSlcdWyBe4E=-69529181992039203566298953787712940909 Subject: "CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For a Alias: CERT-3pkM7ZngQx9g7cOTfnzVvw7Z5fo=-127566847139401841621357201087378599423 Subject: "CN=Cisco Root CA 2048,O=Cisco Systems" Alias: CERT-2skCT1TY9t+Uk1+xcyY4ymrXfBM=-91299735575339953335919266965803778155 Subject: "CN=DST Root CA X3,O=Digital Signature Trust Co." Alias: CERT-XeuPM54mTBn2aG9fjzK1SkxGtHY=-147276795673788085925734830146256557201 Subject: "CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use a Alias: CERT-kz1jOk6EDaTCjoldkA/TEYiG96M=-1 Subject: "CN=Cisco Root CA M2,O=Cisco" Alias: CERT-5BzGaUsLhS/cj+UANV91ZP3e5Rs=-3 Subject: "CN=*.acs5devsj.com"