Showing results for 
Search instead for 
Did you mean: 

ISE and certificates

Mikael Gustafsson

Hi all,

Im trying to get my head around using 3d party certificates with the ISE and I think I need some guidance here.

I have a setup of 6 ISE nodes, 2xAdmin, 2xMonitoring and 2xPolicy.

All of these have the domain-name of abc.local.

I want to use MS-CHAPv2 and guest service without certifcate error.

So do I need to enroll all of my six nodes with a 3d party CA? Or just 2xPolicy nodes?

I know the best solution would be all six but just to know if it is possible.

How do I get around the problem with .local? I do not think it is possible to get a certificate with .local as a domain in FQDN.

Is SAN certificate usefull here? How would the look (still .local in CN..?)

Other things to consider in this?



1 Accepted Solution

Accepted Solutions

That is correct you need to issue the csr based on the host name currently configured for ise which is the fqdn.

Your issue is that public certificate authorities will not issue you a cert because you are using a .local and not a public domain like .com, .edu or .org to name a few.

The only way to resolve your issue is to use a private Microsoft certificate authority, which is simple to configure. Or change your ise domain ame and use your company's public domain name.


Sent from Cisco Technical Support iPad App

View solution in original post

10 Replies 10

Eduardo Aliaga

You can only ask a 3rd party CA a certificate for a valid and public domain that you own. Since "abc.local" isn't a valid public domain then the 3rd party CA can't generate the certificate.

If you want a ".local" domain you can just create your certificates yourself by using Microsoft Certificate Authority for example, and then make all your domain PCs "trust" this domain by using Group Policies.

Hope it helps

How about FQDN and the ISE, what I understand I do need to use  in the CSR?

Based on ip domain-name and hostname from the ISE

And if I want a 3d party signing of this I need to change ip domain-name?

Am I missing somethinge here?

The documentation say:

Same from the UG 1.1.1:

If you intend to use the certificate generated from this CSR for HTTPS communication (Management Interface), ensure that the CN value in the Certificate Subject is the FQDN of the node. Otherwise, you will not be able to select Management Interface when binding the generated certificate.

From TS 2.1 How-To 04:

Note: If you did not create the certificate signing request (CSR) with the same host name as the Cisco ISE server (or did not use the same domain name), then you will receive an error message. Delete the old CSR or simply change the host name and start again.