https://community.cisco.com/t5/network-access-control/cisco-ise-csr-generation-issue-with-wildcard-certificate/m-p/2434806#M87362 <P>Thanks Charles for the response, do I need to purchase Wildcard SSL Certificate to use in Distributed Cisco ISE deployments? Seems that when purchasing wildcard certificate they need the CN field fill up with the wildcard name.</P> Sun, 16 Mar 2014 14:06:55 GMT mjrmontemayor 2014-03-16T14:06:55Z https://community.cisco.com/t5/network-access-control/cisco-ise-csr-generation-issue-with-wildcard-certificate/m-p/2434804#M87360 <P>We are purchasing SSL Wildcard Certificate to use in Cisco ISE but when I enter the following attributes given by the vendor, I have this error,</P><P>"*.domain.com is not a valid wildcard name". The attributes I created in the CSR as follows:</P><P>CN=*.domain.com</P><P>SAN</P><P>DNS Name: ise.domain.com</P><P>The above parameters is given by the vendor. They said that I should put this attribute because the CA (DigiCert), only accepts this format to issue wildcard certificate.</P><P>&nbsp;</P><P>The vendor rejected my previous CSR which I successfully created with the following attributes below. This was based on Cisco's Documentation.</P><P>CN=ise.domain.com</P><P>SAN</P><P>DNS Name: ise.domain.com</P><P>DNS Name: *.domain.com</P><P>&nbsp;</P><P>I just want to confirm if the attribute given by the vendor are valid for the Cisco ISE to generate CSR. Or must use valid FQDN in the CN entries and not wildcard name. And use the wildcard name only in the SAN DNS Name Entry.</P><P>&nbsp;</P><P>Please advice. Appreciate the prompt respose from the expert.</P><P>Thank You.</P><P>&nbsp;</P><P>regards,</P><P>Mike</P><P>&nbsp;</P> Mon, 11 Mar 2019 04:31:21 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-csr-generation-issue-with-wildcard-certificate/m-p/2434804#M87360 mjrmontemayor 2019-03-11T04:31:21Z https://community.cisco.com/t5/network-access-control/cisco-ise-csr-generation-issue-with-wildcard-certificate/m-p/2434805#M87361 <P>Mike,</P><P>Take a look at the attached files.&nbsp; (Still having issues showing pictures here since they updated the forum).</P><P>Long story short, the wildcard goes in the SAN field.&nbsp; I have shown this in the second picture.</P><P>&nbsp;</P><P>Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.&nbsp; Otherwise, feel free to post follow-up questions.</P><P>Charles Moreton</P> Wed, 12 Mar 2014 17:55:38 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-csr-generation-issue-with-wildcard-certificate/m-p/2434805#M87361 Charlie Moreton 2014-03-12T17:55:38Z https://community.cisco.com/t5/network-access-control/cisco-ise-csr-generation-issue-with-wildcard-certificate/m-p/2434806#M87362 <P>Thanks Charles for the response, do I need to purchase Wildcard SSL Certificate to use in Distributed Cisco ISE deployments? Seems that when purchasing wildcard certificate they need the CN field fill up with the wildcard name.</P> Sun, 16 Mar 2014 14:06:55 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-csr-generation-issue-with-wildcard-certificate/m-p/2434806#M87362 mjrmontemayor 2014-03-16T14:06:55Z https://community.cisco.com/t5/network-access-control/cisco-ise-csr-generation-issue-with-wildcard-certificate/m-p/2434807#M87363 <P>Mike,</P><P>&nbsp;</P><P>A wildcard cert is definitely the way to go in a distibuted environment.&nbsp; Use the hostname got your Admin node in the CN field:</P><P>&nbsp;</P><P>CN=ise, OU=domain, OU=com</P><P>and enter the SAN field as asown above for the CSR.</P><P>&nbsp;</P><P>Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.&nbsp; Otherwise, feel free to post follow-up questions.</P><P>Charles Moreton</P> Mon, 17 Mar 2014 13:07:57 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-csr-generation-issue-with-wildcard-certificate/m-p/2434807#M87363 Charlie Moreton 2014-03-17T13:07:57Z