01-21-2020 08:25 AM - edited 01-21-2020 08:29 AM
After some difficulties, finally managed to get a publicly signed wildcard cert. DigiCert was unable to issue a cert, so ended up with Sectigo (formerly known as COMODO).
For CSR, used a generic name for CN 'ise.ise.xyz.app', and the SAN DNS has this generic name as well as wildcard '*.ise.xyz.app'.
(The AD domain name is ABCD.prv, and public cert is using 'ise.xyz.app'. We have DNS zone for and can resolve (forward and reverse) the ISE node.)
Bound the issued cert with the CSR successfully, imported the Root CA and Intermediate CA.
So far so good.
I then tried to use the same cert for Admin and Portal, but using this for Admin is failing with 'Certificate must contain the FQDN 'xxxx' or a matching wildcard as a DNS name in the SubjectAlternativeName (SAN) extension.'
As our domain and the the domain I used for the cert is different, not sure if this has anything to do with this?
Any idea what might be causing this and how to resolve it?
Many thanks in advance.
P.s. I've been following the below for my reference.
Solved! Go to Solution.
01-21-2020 11:45 AM
Your ISE FQDN is not matching the certificate. For example, your ISE FQDN is ise.xyz.prv and your certificate is using ise.xyz.com. The SAN should contain a wildcard that matches the FQDN of your ISE host. For example, *.xyz.prv.
01-21-2020 11:45 AM
Your ISE FQDN is not matching the certificate. For example, your ISE FQDN is ise.xyz.prv and your certificate is using ise.xyz.com. The SAN should contain a wildcard that matches the FQDN of your ISE host. For example, *.xyz.prv.
01-22-2020 12:32 AM
Thank you for the response.
Little more explanation of my situation :)
The AD domain bears the old company name, whereas the domain used for this wildcard contains the new company name, and pretty much all the new internal applications use 'xyz.app' name space.
For ISE wildcard, I have partitioned this name space for security reasons as per the Cisco recommendation and created a sub-domain 'net', so it would make up 'net.xyz.app'.
With this in mind, while I see your point, adding a wildcard '*.abcd.prv' that covers the FQDN of the ISE node/s would be exposing the root AD domain and defeats the purpose of partitioning the domain?
Thanks,
01-24-2020 08:26 AM
As I didn't want guest to see ISE nodes' hostnames, decided not to use WildSAN cert for the Admin use and issued a cert from the internal CA.
WIldSAN seems to be working everything else so far, and Admin cert is doing its job.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide