Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1455
Views
0
Helpful
5
Replies

Cisco ISE 2.3 - Certificate use

Go to solution
pgiouvanellis
Level 1
Level 1

‎09-12-2018 04:41 AM

Hello Everyone ,

 

We have a 2 PAN & PSN nodes deployment , the one acts as Primary (Admin and monitoring) and other one as Secondary (Admin and monitoring) .

 

We had to replace the Admin,Portal and EAP Cerificate with new ones due to expiration .

So we created 2 CSRs and we get the Certificates from our provider .

 

Then we successfully bind the 2 Certificates with CSRs but initially we did not gave any use to Certificates .

 

After Successfully binding we proceed with giving the certificates the usage we wanted (Admin,EAP ,Portal) .

 

We first begin from Secondary Node with success the managed .

 

When we tried to do it on Primary we get the following error .

 

"Certificate must contain the FQDN '' or a matching wildcard as a DNS name in the SubjectAlternativeName (SAN) extension."

 

The CSRs had no difference in production and the certificatesd we get back also .

 

Is anyone has any similar problem or has any idea what is going on ?

 

Thanks !

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pgiouvanellis
Level 1
Level 1
In response to paul

‎09-13-2018 05:41 AM

Hello ,

 

FYI 

 

Yesterday we have import the new certificate for EAP and Portals and we left the Admin Portal ,

since it does not mind us .

 

After a little time the Portal did not worked properly they were not accessible from anywhere .

The EAP authentication was working properly .

 

After application stop and application start the problem was solved we were able to 

assign the certificate to Admin Portal and Portals was working properly .

 

This is a walk through that we performed and we manage to bring ISE in working state .

View solution in original post

0 Helpful
5 Replies 5

Go to solution
paul
Level 10
Level 10

‎09-12-2018 05:15 AM

Did you double check the cert you got back from the provider to ensure the CN field or SAN field has the FQDN of the primary node?  You can do everything with one cert if you want.  Just use SAN fields to cover both nodes.  It makes things easier at the time of renewal and having a single EAP certificate makes mobile devices have less issues if they have to switch to the other PSN to authenticate.

0 Helpful

Go to solution
pgiouvanellis
Level 1
Level 1
In response to paul

‎09-12-2018 05:34 AM

I double check everything ,

The odd is that the other certificate which is exactly the same just with different FQDN and SAN was imported successfully with no errors .

 

How it is possible to add SAN field to Cert right know ?

 

You mean that i have to generate new CSR with SAN Field import 2 FQDNs one for each node ?

 

Thank You

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to pgiouvanellis

‎09-12-2018 09:10 AM

Yes, generate a new CSR with SAN fields to cover every FQDN. Then you have one cert/private key to manage.


0 Helpful

Go to solution
pgiouvanellis
Level 1
Level 1
In response to paul

‎09-13-2018 05:41 AM

Hello ,

 

FYI 

 

Yesterday we have import the new certificate for EAP and Portals and we left the Admin Portal ,

since it does not mind us .

 

After a little time the Portal did not worked properly they were not accessible from anywhere .

The EAP authentication was working properly .

 

After application stop and application start the problem was solved we were able to 

assign the certificate to Admin Portal and Portals was working properly .

 

This is a walk through that we performed and we manage to bring ISE in working state .

0 Helpful
Customers Also Viewed These Support Documents