https://community.cisco.com/t5/network-access-control/ise-certificate-issue/m-p/4632902#M575529 <P>create another A entry for ISE01 and test it.</P> Thu, 16 Jun 2022 06:56:25 GMT balaji.bandi 2022-06-16T06:56:25Z https://community.cisco.com/t5/network-access-control/ise-certificate-issue/m-p/4632482#M575509 <P>I am having a problem binding a CSR and the resulting certificate. I get the error&nbsp;<SPAN>&nbsp;"Certificate must contain the FQDN...". Research has shown that this has occurred&nbsp;before and was related to a SAN not matching the domain. I have verified that they do match, no leading or trailing spaces; no 0o/1l typos. My cert looks like:</SPAN></P> <P><SPAN>(The machine name is ise01)</SPAN></P> <P>-Multi-use</P> <P>Allow Wildcard Certificates</P> <P><SPAN>CN: ise.client.com</SPAN></P> <P><SPAN>SAN: ise.client.com</SPAN></P> <P><SPAN>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;*.client.com</SPAN></P> <P><SPAN>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ise01.client.com</SPAN></P> <P>&nbsp;</P> <P><SPAN>I checked the hostname in CLI and even made sure the virtual machine name was all matching. Does anyone know what log would contain failures for this? I tried recursive grep'ing for different words from the support bundle and could not find anything. What else would you recommend. Thank you for your time.</SPAN></P> Wed, 15 Jun 2022 15:31:56 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-issue/m-p/4632482#M575509 atheio 2022-06-15T15:31:56Z https://community.cisco.com/t5/network-access-control/ise-certificate-issue/m-p/4632483#M575510 <P>Is the FQDN of ISE actually ise01.client.com?&nbsp; Or is it something else?</P> Wed, 15 Jun 2022 15:39:19 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-issue/m-p/4632483#M575510 ahollifield 2022-06-15T15:39:19Z https://community.cisco.com/t5/network-access-control/ise-certificate-issue/m-p/4632485#M575511 <P>Yes it is.</P> Wed, 15 Jun 2022 15:46:44 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-issue/m-p/4632485#M575511 atheio 2022-06-15T15:46:44Z https://community.cisco.com/t5/network-access-control/ise-certificate-issue/m-p/4632522#M575516 <P>ise01.client.com&nbsp; - is this resolving in your nslookup ?</P> <P>&nbsp;</P> Wed, 15 Jun 2022 17:32:01 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-issue/m-p/4632522#M575516 balaji.bandi 2022-06-15T17:32:01Z https://community.cisco.com/t5/network-access-control/ise-certificate-issue/m-p/4632547#M575520 <P>No it doesn't sir. This ISE server will be primary (10.1.1.134) and a secondary. (10.1.1.135). I wasn't sure if I needed to make the "ISE-cube" first or apply certificates. I have only created A-records pointing ise.client.com to those IPs.</P> <P>&nbsp;</P> Wed, 15 Jun 2022 18:13:17 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-issue/m-p/4632547#M575520 atheio 2022-06-15T18:13:17Z https://community.cisco.com/t5/network-access-control/ise-certificate-issue/m-p/4632902#M575529 <P>create another A entry for ISE01 and test it.</P> Thu, 16 Jun 2022 06:56:25 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-issue/m-p/4632902#M575529 balaji.bandi 2022-06-16T06:56:25Z https://community.cisco.com/t5/network-access-control/ise-certificate-issue/m-p/4633163#M575533 <P>Ok, I added an A record for ISE01, generated the CSR and I get the same error when I try to bind the new cert to the csr. Should I add the machine hostname to the SAN field?</P> <P>&nbsp;</P> <P>ex: ise.client.com</P> <P>&nbsp; &nbsp; &nbsp; *.client.com</P> <P>&nbsp; &nbsp; &nbsp; ise01.client.com</P> Thu, 16 Jun 2022 13:04:23 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-issue/m-p/4633163#M575533 atheio 2022-06-16T13:04:23Z https://community.cisco.com/t5/network-access-control/ise-certificate-issue/m-p/4633232#M575540 <P>Machine hostname?&nbsp; I thought the ISE hostname was ise01.client.com?&nbsp; Is the DNS ise01.client.com but the actual hostname of the ISE node something else?</P> Thu, 16 Jun 2022 14:47:24 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-issue/m-p/4633232#M575540 ahollifield 2022-06-16T14:47:24Z https://community.cisco.com/t5/network-access-control/ise-certificate-issue/m-p/4633293#M575544 <P>Sorry, I think I am muddying the water. Here is a diagram of the setup. Do I need to add ise01.client.com and ise02.client.com to the SAN fields?</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2022-06-16 at 12.34.29 PM.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/153963i10F8D34382FBF15C/image-size/medium?v=v2&amp;px=400" role="button" title="Screen Shot 2022-06-16 at 12.34.29 PM.png" alt="Screen Shot 2022-06-16 at 12.34.29 PM.png" /></span></P> <P> </P> <P> </P> Thu, 16 Jun 2022 16:35:18 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-issue/m-p/4633293#M575544 atheio 2022-06-16T16:35:18Z https://community.cisco.com/t5/network-access-control/ise-certificate-issue/m-p/4633315#M575545 <P>Yes, the FQDN/hostname of the individual ISE Server (or a wildcard) must be in the SAN field.</P> <P>&nbsp;</P> <P>FYI, your screenshot includes the actual DNS name of the ISE node.&nbsp; You may want to blank that out for privacy.</P> Thu, 16 Jun 2022 16:27:59 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-issue/m-p/4633315#M575545 ahollifield 2022-06-16T16:27:59Z https://community.cisco.com/t5/network-access-control/ise-certificate-issue/m-p/4633815#M575578 <P>I identified the issue. The wrong cert was purchased. We ordered a basic, when we needed a wildcard, that was why "www." was getting auto-populated in the SAN field. Thank you all for your help!</P> Fri, 17 Jun 2022 13:51:04 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-issue/m-p/4633815#M575578 atheio 2022-06-17T13:51:04Z