Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
414
Views
0
Helpful
5
Replies

Certificate contains bad Common Name & SAN Values during CSR request

Go to solution
Darnitsa Admin
Level 1
Level 1

‎02-08-2025 03:25 AM

Hello there.

I have a problem during generating CSR request on my Standalone Cisco ISE node.  

Previously, I have configured the CSR and obtained the proper one from my enterpise CA, BUT the CA which signed the CSR was Root CA and now we have Subordinate CA by means of which I have to sign the new CSR, obtain new certificate and put it for EAP authentication. 

Here is the thing. When I try to generate new CSR the error appear every time: 'WARNING! Certificate contains bad Common Name & SAN Values 'ise01.company.local.net,ise01.company.local.net'.Please confirm still you want to proceed. 

I have got no clue why the error shows up. I suppose it's because of the existing one certificate issued to the node ise01.company.local.net 

We did the same thing in lab and everythin worked fine. Any suggestion? 

Cisco ISE version 3.2.0.542

Patch Information: 1,2,3,4,5,6,7
Role: STANDALONE
ADE-OS Version: 3.2.0.401
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Darnitsa Admin

‎02-09-2025 08:01 AM

Keep in mind that the CN or common name is just what it means a common DNS you can use to point to your PAN. If you only have one node, then you don’t need any SAN unless you want to have multiple DNS for the PAN as an example and that is okay. 
you need to validate that the root ca and intermediate ca’s are on the endpoints as that is the only way they will trust ISE. I have like 60+ in the SAN entry and it’s not a problem.  

-Scott
*** Please rate helpful posts ***

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎02-08-2025 09:11 AM

You can always generate the cert from the other node if the FQDN is in the SAN.  What I had to do since we have a lot of nodes and dev nodes, is I just create a CSR using openssl with a CN like ise.comany.com and then the fqdn of each of the nodes. Also, you don't have to have the CN you use in the SAN.

ise-001.company.com
ise-002.company.com
ise-dev-001.company.com
ise-test-001.company.com

That way I can use the cert on all my nodes.

You can generate something like this:

CN=ise.company.local.net --> Make sure you have DNS pointing to the IP of your PAN

SAN=ise01.company.local.net,ise02.company.local.net,ise03.company.local.net

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Darnitsa Admin
Level 1
Level 1
In response to Scott Fella

‎02-09-2025 06:09 AM - edited ‎02-09-2025 06:22 AM

Hello Scott. Thank you for your answer.

There is another question then: 

I have a DNS A record for ise01.company.local.net.

Mainly, we will use the certificate based on the CSR request we still can't get for EAP authentication (wireless and wired).

The question is: Won't it be a problem having different SAN from CN for the dot1x authentication.

For example: If in my new CSR the CN would be ise01.company.local.net and the SAN of the very same CSR would be like ise-01.company.local.net. Would it cause problems during checking the certificate for example in EAP-TLS Authentication? 
And what would be if I just skip the warning and just create the new one CSR request and sign it with my Subordinate CA? 

P.S. I tried to re-generate the CSR with the sam CN and SAN and get the next error. Error is in the attachment. 
What should I do next? Delete the current certificate for EAP auth and regenerate the new CSR? 

Preview file
14 KB
0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Darnitsa Admin

‎02-09-2025 08:01 AM

Keep in mind that the CN or common name is just what it means a common DNS you can use to point to your PAN. If you only have one node, then you don’t need any SAN unless you want to have multiple DNS for the PAN as an example and that is okay. 
you need to validate that the root ca and intermediate ca’s are on the endpoints as that is the only way they will trust ISE. I have like 60+ in the SAN entry and it’s not a problem.  

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Darnitsa Admin
Level 1
Level 1
In response to Scott Fella

‎02-09-2025 09:27 PM

So, the solution will be like having RootCA and SubCA as Trusted Certs on ISE and Client. Generate new CSR on ISE to sign it by SubCA for EAP Authentication filling fields of CN and (if needed) SAN values. And it will be ok for dot1x auth for wired as well as for wirelss? Am I right? 

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Darnitsa Admin

‎02-10-2025 08:23 AM

This is how I would phrase it.

  • ISE will need to have the root ca & intermediate ca(s) that the client uses in the trusted certificate store
  • The client will need to have the root ca & intermediate ca(s) that ISE uses in the trusted root CA and trusted intermediate CA.
  • If you have multiple nodes and want to just have one certificate for all nodes:
    • Create a CN like ise.company.local.net <-- This will resolve in DNS to your PAN
    • Create SAN's for the FQDN or all your other nodes
  • If you only have one node:
    • Create the CN using the FQDN for that node
    • No SAN is required
  • Will this work for EAP... YES, it can also work for your admin so you don't get a cert error.
-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents