已解决: 回复： ISE2.7如何加载商用SSL证书（阿里云中申请了一个证书，ISE传上去报告不能传马？） - 第2页

angel9999 · ‎03-15-2023

ISE2.7如何加载商用SSL证书（阿里云中申请了一个证书，ISE传上去报告不能传马？）

angel9999 · ‎03-16-2023

再不勾选admin 的情况下已经成功导入，我想勾选admin 作为管理，还是报这个错Certificate must contain the FQDN 'ise.dotcomlab.net' or a matching wildcard as a DNS name in the SubjectAlternativeName (SAN) extension.，要怎么处理？？

ilay · ‎03-16-2023

你的ise的FQDN是什么你就申请什么样的证书就可以了。

以你的为例，直接导入ise.dotcomlab.net的证书（如果有多个节点，每个节点的证书需要完全对应，ise1.dotcomlab.net对应ise1,ise2.dotcomlab.net对应ise2，不能混用）就行或者使用*.dotcomlab.net的证书

angel9999 · ‎03-16-2023

案例上申请 ise.dotcomlab.net 上传就报这错了

There is one or more trusted certificate(s) which is part of the portal system certificate chain or selected with certbased admin auth role with the same subject name but having a different serial number. Import/Update was aborted. For successful import/update, you need to either disable the certbased admin auth role from duplicate trusted certificate or change the portal role from the system certificate which contains the duplicate trusted certificate in its chain.

angel9999 · ‎03-16-2023

有张主机自动生成的证书，要把系统证书哪里都删除光吗？？？

ilay · ‎03-16-2023

系统生成的证书删不删都可以，建议只清理Not in use 及过期的证书

angel9999 · ‎03-16-2023

angel9999 · ‎03-16-2023

For successful import/update, you need to either disable the certbased admin auth role from duplicate trusted certificate or change the portal role from the system certificate which contains the duplicate trusted certificate in its chain. 这句话怎么理解，我要怎么处理

ilay · ‎03-16-2023

提示证书链中有重复的证书，私信我一个远程方式吧。远程看下

远程按照报错查到了一个bug，按照bug提供的临时解决方法处理解决
bug链接：https://bst.cisco.com/bugsearch/bug/CSCvw51787?rfs=qvred

目前测试环境为ise2.7 patch8,9 均受影响，之前版本受影响情况未知。

angel9999 · ‎03-16-2023

搞了一直非 *.XXX.com 的证书，admin 选项的时候也报 ertificate must contain the FQDN 'ise.dotcomlab.net' or a matching wildcard as a DNS name in the SubjectAlternativeName (SAN) extension 这个错了，。。。。。是不是跟主机的FQDN 有关需要如何更改

ilay · ‎03-16-2023

在CLI里面看你设置的domain-name，比如你的主机名是ise，domain name是abc.com那么FQDN就是ise.abc.com，修改ise主机名和domain name都会影响FQDN

angel9999 · ‎03-17-2023

There is one or more trusted certificate(s) which is part of the portal system certificate chain or selected with certbased admin auth role with the same subject name but having a different serial number. Import/Update was aborted. For successful import/update, you need to either disable the certbased admin auth role from duplicate trusted certificate or change the portal role from the system certificate which contains the duplicate trusted certificate in its chain.

=====
临时解决方法：
--- To workaround this issue:
1. Generate new Self-Signed Certificate, add something to the Subject, e.g. Country or Company, select roles which are used for original Self-Signed Certificate. (e.g. Admin, EAP, etc.)

2. Confirm that after Services Restart old Self Signed certificate is "Not in Use", if it is still in Use, move whatever roles it has to newly Self-Signed Certificate;

3. Delete old Self-Signed certificate from both System Certificates Store and Trusted Certificates Store;

4. Import CA certificate in the Trusted Store;

5. Import CA signed certificate in the System Store, select applicable roles.

----