cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
878
Views
5
Helpful
9
Replies

CA-Signed certificate for ISE is showing as invalid.

Nerd_Herd
Level 1
Level 1

Recently applied certs to two different ISE deployments. One is showing the admin portal as secure the other deployment is showing as invalid. Two different certs for two different nodes from the same CA but only is working correctly. Both devices have the entire cert chain imported in their trusted certs, successful bound the certs to their respective CSR. Where can I start troubleshooting why one is working and the other isn't. 

9 Replies 9

Both standalone? Or distributed and one is PAN and other is PSN?

MHM

Both are standalone at different sites. 

Hi Jeremy, did you check if the node that is not showing the correct cert has actually the right cert tied to its admin portal? I would check this from both ISE and the client. If you see the right cert presented from your browser, I would try to download it to the client and see if the chain shows correctly. Also, I would check the CN and the SAN values on that cert, there might be a typo or a missing value that is causing your browser not to trust that cert.

can it bug ? 
same ISE patch and same CA, I think it bug 
MHM

Could be, but it could also be that something happens when the CSR was created or maybe the cert wasn't tied to the admin portal on that node.

Nerd_Herd
Level 1
Level 1

I pulled the cert and its showing the correct subject. The only difference between the non-working and working one is that the SAN on the non-working one has just the DNS and the working one has the IP and DNS. Both are running 3.1 and patch 8. I'm going to assume that the issue is the missing IP address. 

Check it and update us

Thanks alot 

MHM

If you try to connect to the node using the IP address in the browser, then yes, you need to have the IP added to the SAN values, however, if you are using the FQDN that is matching the one you have on the cert it should work without having to add the IP. I would still double check and make sure that that cert is associated to the admin portal in ISE.

indeed as @Aref Alsouqi  mention if this Cert is for Portal, or EAP the I think you need SAN 
but for CA cert. !! 
anyway check it and update us 
thanks again 
MHM