Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
463
Views
0
Helpful
3
Replies

SR is 686525078

Go to solution
Donald Fisher
Cisco Employee
Cisco Employee

‎04-17-2019 07:29 AM

Summary: They renewed their company CA. TAC stated that ISE cannot hold 2 certs with the same subject name. This seem to work before and this is a bug. Customer wanted to ensure this was a to be fix. It seemed the TAC was not sure.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎04-17-2019 12:40 PM

Hi Donald,

 

Please continue to work with the TAC and if necessary escalate.  This forum is not an alternative or parallel means to solve deployment issues.  From the banner at the top of the page:

 

"This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums."

 

Regards,

-Tim

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎04-17-2019 12:40 PM

Hi Donald,

 

Please continue to work with the TAC and if necessary escalate.  This forum is not an alternative or parallel means to solve deployment issues.  From the banner at the top of the page:

 

"This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums."

 

Regards,

-Tim

0 Helpful

Go to solution
Donald Fisher
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎04-17-2019 01:50 PM

Hi Tim,

 

I wish I could, yet TAC has been given multiple answers and customer lost trust in TAC. This is when we look to BU to see if this is a bug or will be fixed.

 

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎04-17-2019 02:26 PM

I had this recently on an ISE 2.4 deployment.  I was trying to be clever by issuing a separate Admin cert and an EAP cert, because splitting these two certs makes a lot of sense.  The mistake I made was that I created the CSR with the Same Subject CN.  e.g.  ise1.company.com for Admin cert, and ise1.company.com for EAP cert.

ISE allowed me to create these two CSR's.  But when I tried to bind the EAP cert after I had already successfully bound the Admin cert, ISE complained about that and told me that I cannot have that.  I think it's a feature but to me it seems wrong.  Not sure if this worked in earlier versions (I have never tried that before).  There should be no confusion here because the certs are unique in their serial number and they also serve different purposes.

My solution was to create a new CSR for the EAP cert and I called it simply:   ise1 (without the domain).  EAP supplicants don't care about the Subject CN anyway. In the SAN you can still put whatever you like  - so I put the FDQN in there.

Other possible solution is to change the CSR's Organisational Unit (OU), Organisation, City etc. - make them unique - then it's not an issue for ISE.

0 Helpful
Customers Also Viewed These Support Documents