cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1457
Views
0
Helpful
5
Replies

Cisco ISE 2.3 - Certificate use

pgiouvanellis
Level 1
Level 1

Hello Everyone ,

 

We have a 2 PAN & PSN nodes deployment , the one acts as Primary (Admin and monitoring) and other one as Secondary (Admin and monitoring) .

 

We had to replace the Admin,Portal and EAP Cerificate with new ones due to expiration .

So we created 2 CSRs and we get the Certificates from our provider .

 

Then we successfully bind the 2 Certificates with CSRs but initially we did not gave any use to Certificates .

 

After Successfully binding we proceed with giving the certificates the usage we wanted (Admin,EAP ,Portal) .

 

We first begin from Secondary Node with success the managed .

 

When we tried to do it on Primary we get the following error .

 

"Certificate must contain the FQDN '' or a matching wildcard as a DNS name in the SubjectAlternativeName (SAN) extension."

 

The CSRs had no difference in production and the certificatesd we get back also .

 

Is anyone has any similar problem or has any idea what is going on ?

 

Thanks !

 

1 Accepted Solution

Accepted Solutions

Hello ,

 

FYI 

 

Yesterday we have import the new certificate for EAP and Portals and we left the Admin Portal ,

since it does not mind us .

 

After a little time the Portal did not worked properly they were not accessible from anywhere .

The EAP authentication was working properly .

 

After application stop and application start the problem was solved we were able to 

assign the certificate to Admin Portal and Portals was working properly .

 

This is a walk through that we performed and we manage to bring ISE in working state .

View solution in original post

5 Replies 5

paul
Level 10
Level 10

Did you double check the cert you got back from the provider to ensure the CN field or SAN field has the FQDN of the primary node?  You can do everything with one cert if you want.  Just use SAN fields to cover both nodes.  It makes things easier at the time of renewal and having a single EAP certificate makes mobile devices have less issues if they have to switch to the other PSN to authenticate.

I double check everything ,

The odd is that the other certificate which is exactly the same just with different FQDN and SAN was imported successfully with no errors .

 

How it is possible to add SAN field to Cert right know ?

 

You mean that i have to generate new CSR with SAN Field import 2 FQDNs one for each node ?

 

Thank You

Yes, generate a new CSR with SAN fields to cover every FQDN. Then you have one cert/private key to manage.


Hello ,

 

FYI 

 

Yesterday we have import the new certificate for EAP and Portals and we left the Admin Portal ,

since it does not mind us .

 

After a little time the Portal did not worked properly they were not accessible from anywhere .

The EAP authentication was working properly .

 

After application stop and application start the problem was solved we were able to 

assign the certificate to Admin Portal and Portals was working properly .

 

This is a walk through that we performed and we manage to bring ISE in working state .