Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
347
Views
1
Helpful
2
Replies

ERROR WHILE TRYING TO GENERATE CSR IN CISCO ISE

Go to solution
sasanka1912
Level 1
Level 1

‎03-08-2025 04:53 AM - edited ‎03-08-2025 06:02 AM

Hi ,

I am trying to set up Cisco ISE in my Eve-ng and am getting the error below when trying to generate CSR in Cisco ISE. 

screenshots attached.

looks like my browser has ise1.google.com where root -ca have test.local.. 

how can I resolve this without having to amend everything from AD.

 

many thanks

Preview file
22 KB
Preview file
53 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎03-10-2025 01:48 PM

How did you even come up with ise.google.com?   How does this relate to your lab domain of test.local?

The principle is pretty simple. If you want to address your ISE node as ise.test.local, then do this:

Create a DNS entry in your local DNS server for ise.test.local that points to the IP address of your ISE node. If you have multiple ISE nodes, then use ise1.test.local, ise2.test.local etc. - you get the point.  It sounds like you are using Microsoft Server in your lab - the DNS server is very good.

In ISE, create a CSR: Administration > System > Certificate Signing Request

Select "Admin" from the Usage drop-down. 

Tick the node you want to make CSR for.

in the Subject common name just leave the field as $FQDN$ (if your ISE node has the FQDN of ise.test.local - is this what you named the ISE node during its setup? Check the ISE CLI) - if not, then type ise.test.local in the Subject 

In the SAN, select the DNS drop-down and then enter ise.test.local

Click Generate (don't fiddle with the other fields unless you know what you are doing)

Paste/upload that CSR to your lab CA and then bind the cert back to this CSR. ISE will restart and then you will have the cert for the Admin Usage. 

View solution in original post

2 Replies 2

Go to solution
Arne Bier
VIP
VIP

‎03-10-2025 01:48 PM

How did you even come up with ise.google.com?   How does this relate to your lab domain of test.local?

The principle is pretty simple. If you want to address your ISE node as ise.test.local, then do this:

Create a DNS entry in your local DNS server for ise.test.local that points to the IP address of your ISE node. If you have multiple ISE nodes, then use ise1.test.local, ise2.test.local etc. - you get the point.  It sounds like you are using Microsoft Server in your lab - the DNS server is very good.

In ISE, create a CSR: Administration > System > Certificate Signing Request

Select "Admin" from the Usage drop-down. 

Tick the node you want to make CSR for.

in the Subject common name just leave the field as $FQDN$ (if your ISE node has the FQDN of ise.test.local - is this what you named the ISE node during its setup? Check the ISE CLI) - if not, then type ise.test.local in the Subject 

In the SAN, select the DNS drop-down and then enter ise.test.local

Click Generate (don't fiddle with the other fields unless you know what you are doing)

Paste/upload that CSR to your lab CA and then bind the cert back to this CSR. ISE will restart and then you will have the cert for the Admin Usage. 

Go to solution
sasanka1912
Level 1
Level 1
In response to Arne Bier

‎03-11-2025 08:15 AM

@Arne Bier re- How did you even come up with ise.google.com?   How does this relate to your lab domain of test.local?

DNS entry has created with Microsoft Server and when accesing the cisco ISE VIA Local management address it has ISE.Google.com certificate as per the screenshot and this stops me generating a CSR in Cisco ISE .

will try your steps and let you know regarding the status of that.

 

0 Helpful
Customers Also Viewed These Support Documents