Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3962
Views
6
Helpful
3
Replies

Cisco ISE 2.4 - Certificate must contain the FQDN 'xxxx' or a matching wildcard as a DNS name in the SubjectAlternativeName (SAN) extension.

Go to solution
atsukane
Level 1
Level 1

‎01-21-2020 08:25 AM - edited ‎01-21-2020 08:29 AM

After some difficulties, finally managed to get a publicly signed wildcard cert. DigiCert was unable to issue a cert, so ended up with Sectigo (formerly known as COMODO).

For CSR, used a generic name for CN 'ise.ise.xyz.app', and the SAN DNS has this generic name as well as wildcard '*.ise.xyz.app'.

(The AD domain name is ABCD.prv, and public cert is using 'ise.xyz.app'. We have DNS zone for and can resolve (forward and reverse) the ISE node.)

Bound the issued cert with the CSR successfully, imported the Root CA and Intermediate CA.

So far so good.

I then tried to use the same cert for Admin and Portal, but using this for Admin is failing with 'Certificate must contain the FQDN 'xxxx' or a matching wildcard as a DNS name in the SubjectAlternativeName (SAN) extension.'

As our domain and the the domain I used for the cert is different, not sure if this has anything to do with this?

Any idea what might be causing this and how to resolve it?

 

Many thanks in advance.

 

P.s. I've been following the below for my reference.

https://community.cisco.com/t5/security-documents/how-to-implement-digital-certificates-in-ise/ta-p/3630897

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎01-21-2020 11:45 AM

Your ISE FQDN is not matching the certificate.  For example, your ISE FQDN is ise.xyz.prv and your certificate is using ise.xyz.com.  The SAN should contain a wildcard that matches the FQDN of your ISE host.  For example, *.xyz.prv.  

View solution in original post

3 Replies 3

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎01-21-2020 11:45 AM

Your ISE FQDN is not matching the certificate.  For example, your ISE FQDN is ise.xyz.prv and your certificate is using ise.xyz.com.  The SAN should contain a wildcard that matches the FQDN of your ISE host.  For example, *.xyz.prv.  

Go to solution
atsukane
Level 1
Level 1
In response to Colby LeMaire

‎01-22-2020 12:32 AM

Thank you for the response.

Little more explanation of my situation :)

The AD domain bears the old company name, whereas the domain used for this wildcard contains the new company name, and pretty much all the new internal applications use 'xyz.app' name space.

For ISE wildcard, I have partitioned this name space for security reasons as per the Cisco recommendation and created a sub-domain 'net', so it would make up 'net.xyz.app'.

With this in mind, while I see your point, adding a wildcard '*.abcd.prv' that covers the FQDN of the ISE node/s would be exposing the root AD domain and defeats the purpose of partitioning the domain?

 

Thanks,

0 Helpful

Go to solution
atsukane
Level 1
Level 1
In response to atsukane

‎01-24-2020 08:26 AM

As I didn't want guest to see ISE nodes' hostnames, decided not to use WildSAN cert for the Admin use and issued a cert from the internal CA. 

WIldSAN seems to be working everything else so far, and Admin cert is doing its job.

 

0 Helpful
Customers Also Viewed These Support Documents