Symptom

--- ISE is not allowing to import CA signed certificate on top of self-signed, if self-signed certificates are used to build deployment and CA signed certificate is having the same Subject. --- Error message: There is one or more trusted certificate(s) which is part of the portal system certificate chain or selected with certbased admin auth role with the same subject name but having a different serial number. Import/Update was aborted. For successful import/update, you need to either disable the certbased admin auth role from duplicate trusted certificate or change the portal role from the system certificate which contains the duplicate trusted certificate in its chain.

Conditions

--- ISE 2.7 --- Self-signed certificate is in the System store and in the Trusted Store; --- Certificate to be imported is having same subject name

Workaround

--- To workaround this issue: 1. Generate new Self-Signed Certificate, add something to the Subject, e.g. Country or Company, select roles which are used for original Self-Signed Certificate. (e.g. Admin, EAP, etc.) 2. Confirm that after Services Restart old Self Signed certificate is "Not in Use", if it is still in Use, move whatever roles it has to newly Self-Signed Certificate; 3. Delete old Self-Signed certificate from both System Certificates Store and Trusted Certificates Store; 4. Import CA certificate in the Trusted Store; 5. Import CA signed certificate in the System Store, select applicable roles.

Further Problem Description