topic CISCO ISE error adding third node to deployment in Network Access Control

CISCO ISE error adding third node to deployment

SupportAC — Wed, 27 May 2026 07:15:32 GMT

Hi,

I need to add a third node to ISE deployment. When i go to PAN to register new node. I introduce FQDN, user, pass but i receive this error: Certificate Signature Verification failed CN= Company1 CAROOT, DC=Company1, DC=com: FQDN

I verified that the CAROOT and CA intermediate are in PAN and new node. How can i fix the issue? any idea?

Re: CISCO ISE error adding third node to deployment

Marvin Rhoads — Wed, 27 May 2026 13:04:53 GMT

Is the CAROOT certificate in the trusted certificate store on the current PAN? Double check that the certificate SHA-256 fingerprint matches.

Re: CISCO ISE error adding third node to deployment

SupportAC — Wed, 27 May 2026 13:58:34 GMT

Yes. I have all chain CAroot and intermediate in PAN,SAN and new node.

The different thing is that the certificates for the PAN and SAN nodes were signed by a different Root CA and using SHA1 (these devices were installed many years ago). The new ISE, however, was signed by another CA using SHA256. Even so, I imported the certificate along with the Root and Intermediate CAs used by the certificates on the previous nodes. I’m not sure whether this could be the issue.

I’m worried that I may need to regenerate the CSR and reissue/sign the certificates for the other two nodes (PAN and SAN) using the same Root CA (SHA-256) as the new node. I don’t like this option because it requires a reboot and deleting/replacing the certificate, which would cause service impact

Re: CISCO ISE error adding third node to deployment

Marvin Rhoads — Wed, 27 May 2026 14:31:45 GMT

From what you have described, it sound like buggy behavior. I would open a TAC case for a more detailed investigation (and hopefully resolution).