Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
920
Views
5
Helpful
9
Replies

CA-Signed certificate for ISE is showing as invalid.

Nerd_Herd
Level 1
Level 1

‎01-22-2024 12:43 PM

Recently applied certs to two different ISE deployments. One is showing the admin portal as secure the other deployment is showing as invalid. Two different certs for two different nodes from the same CA but only is working correctly. Both devices have the entire cert chain imported in their trusted certs, successful bound the certs to their respective CSR. Where can I start troubleshooting why one is working and the other isn't. 

1 person had this problem
0 Helpful
9 Replies 9

MHM Cisco World
VIP
VIP

‎01-22-2024 12:45 PM

Both standalone? Or distributed and one is PAN and other is PSN?

MHM

0 Helpful

Nerd_Herd
Level 1
Level 1
In response to MHM Cisco World

‎01-22-2024 12:54 PM

Both are standalone at different sites. 

Aref Alsouqi
VIP
VIP

‎01-22-2024 01:50 PM

Hi Jeremy, did you check if the node that is not showing the correct cert has actually the right cert tied to its admin portal? I would check this from both ISE and the client. If you see the right cert presented from your browser, I would try to download it to the client and see if the chain shows correctly. Also, I would check the CN and the SAN values on that cert, there might be a typo or a missing value that is causing your browser not to trust that cert.

MHM Cisco World
VIP
VIP
In response to Aref Alsouqi

‎01-22-2024 02:21 PM

can it bug ? 
same ISE patch and same CA, I think it bug 
MHM

0 Helpful

Aref Alsouqi
VIP
VIP
In response to MHM Cisco World

‎01-22-2024 02:45 PM

Could be, but it could also be that something happens when the CSR was created or maybe the cert wasn't tied to the admin portal on that node.

Nerd_Herd
Level 1
Level 1

‎01-23-2024 06:04 AM

I pulled the cert and its showing the correct subject. The only difference between the non-working and working one is that the SAN on the non-working one has just the DNS and the working one has the IP and DNS. Both are running 3.1 and patch 8. I'm going to assume that the issue is the missing IP address. 

MHM Cisco World
VIP
VIP
In response to Nerd_Herd

‎01-23-2024 06:08 AM

Check it and update us

Thanks alot 

MHM

0 Helpful

Aref Alsouqi
VIP
VIP
In response to Nerd_Herd

‎01-23-2024 06:31 AM

If you try to connect to the node using the IP address in the browser, then yes, you need to have the IP added to the SAN values, however, if you are using the FQDN that is matching the one you have on the cert it should work without having to add the IP. I would still double check and make sure that that cert is associated to the admin portal in ISE.

MHM Cisco World
VIP
VIP
In response to Aref Alsouqi

‎01-23-2024 06:39 AM

indeed as @Aref Alsouqi  mention if this Cert is for Portal, or EAP the I think you need SAN 
but for CA cert. !! 
anyway check it and update us 
thanks again 
MHM

0 Helpful
Customers Also Viewed These Support Documents