Re: CISCO ISE error adding third node to deployment

SupportAC · ‎05-27-2026

Hi,

I need to add a third node to ISE deployment. When i go to PAN to register new node. I introduce FQDN, user, pass but i receive this error: Certificate Signature Verification failed CN= Company1 CAROOT, DC=Company1, DC=com: FQDN

I verified that the CAROOT and CA intermediate are in PAN and new node. How can i fix the issue? any idea?

Marvin Rhoads · ‎05-27-2026

Is the CAROOT certificate in the trusted certificate store on the current PAN? Double check that the certificate SHA-256 fingerprint matches.

SupportAC · ‎05-27-2026

Yes. I have all chain CAroot and intermediate in PAN,SAN and new node.

The different thing is that the certificates for the PAN and SAN nodes were signed by a different Root CA and using SHA1 (these devices were installed many years ago). The new ISE, however, was signed by another CA using SHA256. Even so, I imported the certificate along with the Root and Intermediate CAs used by the certificates on the previous nodes. I’m not sure whether this could be the issue.

I’m worried that I may need to regenerate the CSR and reissue/sign the certificates for the other two nodes (PAN and SAN) using the same Root CA (SHA-256) as the new node. I don’t like this option because it requires a reboot and deleting/replacing the certificate, which would cause service impact

Marvin Rhoads · ‎05-27-2026

From what you have described, it sound like buggy behavior. I would open a TAC case for a more detailed investigation (and hopefully resolution).