topic Re: Certificate contains bad Common Name & SAN Values during CSR r in Network Access Control

Certificate contains bad Common Name & SAN Values during CSR request

Darnitsa Admin — Sat, 08 Feb 2025 11:25:23 GMT

Hello there.

I have a problem during generating CSR request on my Standalone Cisco ISE node.

Previously, I have configured the CSR and obtained the proper one from my enterpise CA, BUT the CA which signed the CSR was Root CA and now we have Subordinate CA by means of which I have to sign the new CSR, obtain new certificate and put it for EAP authentication.

Here is the thing. When I try to generate new CSR the error appear every time: 'WARNING! Certificate contains bad Common Name & SAN Values 'ise01.company.local.net,ise01.company.local.net'.Please confirm still you want to proceed.

I have got no clue why the error shows up. I suppose it's because of the existing one certificate issued to the node ise01.company.local.net

We did the same thing in lab and everythin worked fine. Any suggestion?

Cisco ISE version 3.2.0.542

Patch Information: 1,2,3,4,5,6,7

Role: STANDALONE

ADE-OS Version: 3.2.0.401

Re: Certificate contains bad Common Name & SAN Values during CSR r

Scott Fella — Sat, 08 Feb 2025 17:11:42 GMT

You can always generate the cert from the other node if the FQDN is in the SAN. What I had to do since we have a lot of nodes and dev nodes, is I just create a CSR using openssl with a CN like ise.comany.com and then the fqdn of each of the nodes. Also, you don't have to have the CN you use in the SAN.

ise-001.company.com
ise-002.company.com
ise-dev-001.company.com
ise-test-001.company.com

That way I can use the cert on all my nodes.

You can generate something like this:

CN=ise.company.local.net --> Make sure you have DNS pointing to the IP of your PAN

SAN=ise01.company.local.net,ise02.company.local.net,ise03.company.local.net

Re: Certificate contains bad Common Name & SAN Values during CSR r

Darnitsa Admin — Sun, 09 Feb 2025 14:22:52 GMT

Hello Scott. Thank you for your answer.

There is another question then:

I have a DNS A record for ise01.company.local.net.

Mainly, we will use the certificate based on the CSR request we still can't get for EAP authentication (wireless and wired).

The question is: Won't it be a problem having different SAN from CN for the dot1x authentication.

For example: If in my new CSR the CN would be ise01.company.local.net and the SAN of the very same CSR would be like ise-01.company.local.net. Would it cause problems during checking the certificate for example in EAP-TLS Authentication?
And what would be if I just skip the warning and just create the new one CSR request and sign it with my Subordinate CA?

P.S. I tried to re-generate the CSR with the sam CN and SAN and get the next error. Error is in the attachment.
What should I do next? Delete the current certificate for EAP auth and regenerate the new CSR?

Re: Certificate contains bad Common Name & SAN Values during CSR r

Scott Fella — Sun, 09 Feb 2025 16:01:15 GMT

Keep in mind that the CN or common name is just what it means a common DNS you can use to point to your PAN. If you only have one node, then you don’t need any SAN unless you want to have multiple DNS for the PAN as an example and that is okay.
you need to validate that the root ca and intermediate ca’s are on the endpoints as that is the only way they will trust ISE. I have like 60+ in the SAN entry and it’s not a problem.

Re: Certificate contains bad Common Name & SAN Values during CSR r

Darnitsa Admin — Mon, 10 Feb 2025 05:27:56 GMT

So, the solution will be like having RootCA and SubCA as Trusted Certs on ISE and Client. Generate new CSR on ISE to sign it by SubCA for EAP Authentication filling fields of CN and (if needed) SAN values. And it will be ok for dot1x auth for wired as well as for wirelss? Am I right?

Re: Certificate contains bad Common Name & SAN Values during CSR r

Scott Fella — Mon, 10 Feb 2025 16:23:02 GMT

This is how I would phrase it.

ISE will need to have the root ca & intermediate ca(s) that the client uses in the trusted certificate store
The client will need to have the root ca & intermediate ca(s) that ISE uses in the trusted root CA and trusted intermediate CA.
If you have multiple nodes and want to just have one certificate for all nodes:
- Create a CN like ise.company.local.net <-- This will resolve in DNS to your PAN
- Create SAN's for the FQDN or all your other nodes
If you only have one node:
- Create the CN using the FQDN for that node
- No SAN is required
Will this work for EAP... YES, it can also work for your admin so you don't get a cert error.

Re: Certificate contains bad Common Name & SAN Values during CSR r

bassomarco1998 — Sun, 01 Mar 2026 16:29:19 GMT

Hi @Scott Fella ,

Thank you for the thorough and detailed responses you provided in the thread, they were very helpful.

A possible alternative solution for the certificates used by ISE, specifically for EAP, would be not to create the DNS record at all. In this case, a generic FQDN such as “ise-cluster.customer-domain.com” can still be included in both the CN and SAN fields of the certificate, even if it does not exist within the DNS servers.

For authentication purposes, the absence of the corresponding DNS record will not cause any issues.