04-17-2019 07:29 AM
Summary: They renewed their company CA. TAC stated that ISE cannot hold 2 certs with the same subject name. This seem to work before and this is a bug. Customer wanted to ensure this was a to be fix. It seemed the TAC was not sure.
Solved! Go to Solution.
04-17-2019 12:40 PM
Hi Donald,
Please continue to work with the TAC and if necessary escalate. This forum is not an alternative or parallel means to solve deployment issues. From the banner at the top of the page:
"This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums."
Regards,
-Tim
04-17-2019 12:40 PM
Hi Donald,
Please continue to work with the TAC and if necessary escalate. This forum is not an alternative or parallel means to solve deployment issues. From the banner at the top of the page:
"This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums."
Regards,
-Tim
04-17-2019 01:50 PM
Hi Tim,
I wish I could, yet TAC has been given multiple answers and customer lost trust in TAC. This is when we look to BU to see if this is a bug or will be fixed.
04-17-2019 02:26 PM
I had this recently on an ISE 2.4 deployment. I was trying to be clever by issuing a separate Admin cert and an EAP cert, because splitting these two certs makes a lot of sense. The mistake I made was that I created the CSR with the Same Subject CN. e.g. ise1.company.com for Admin cert, and ise1.company.com for EAP cert.
ISE allowed me to create these two CSR's. But when I tried to bind the EAP cert after I had already successfully bound the Admin cert, ISE complained about that and told me that I cannot have that. I think it's a feature but to me it seems wrong. Not sure if this worked in earlier versions (I have never tried that before). There should be no confusion here because the certs are unique in their serial number and they also serve different purposes.
My solution was to create a new CSR for the EAP cert and I called it simply: ise1 (without the domain). EAP supplicants don't care about the Subject CN anyway. In the SAN you can still put whatever you like - so I put the FDQN in there.
Other possible solution is to change the CSR's Organisational Unit (OU), Organisation, City etc. - make them unique - then it's not an issue for ISE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide