Re: ISE certificate issue

atheio · ‎06-15-2022

I am having a problem binding a CSR and the resulting certificate. I get the error "Certificate must contain the FQDN...". Research has shown that this has occurred before and was related to a SAN not matching the domain. I have verified that they do match, no leading or trailing spaces; no 0o/1l typos. My cert looks like:

(The machine name is ise01)

-Multi-use

Allow Wildcard Certificates

CN: ise.client.com

SAN: ise.client.com

*.client.com

ise01.client.com

I checked the hostname in CLI and even made sure the virtual machine name was all matching. Does anyone know what log would contain failures for this? I tried recursive grep'ing for different words from the support bundle and could not find anything. What else would you recommend. Thank you for your time.

ahollifield · ‎06-15-2022

Is the FQDN of ISE actually ise01.client.com? Or is it something else?

atheio · ‎06-15-2022

Yes it is.

balaji.bandi · ‎06-15-2022

ise01.client.com - is this resolving in your nslookup ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

atheio · ‎06-15-2022

No it doesn't sir. This ISE server will be primary (10.1.1.134) and a secondary. (10.1.1.135). I wasn't sure if I needed to make the "ISE-cube" first or apply certificates. I have only created A-records pointing ise.client.com to those IPs.

balaji.bandi · ‎06-15-2022

create another A entry for ISE01 and test it.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

atheio · ‎06-16-2022

Ok, I added an A record for ISE01, generated the CSR and I get the same error when I try to bind the new cert to the csr. Should I add the machine hostname to the SAN field?

ex: ise.client.com

*.client.com

ise01.client.com

ahollifield · ‎06-16-2022

Machine hostname? I thought the ISE hostname was ise01.client.com? Is the DNS ise01.client.com but the actual hostname of the ISE node something else?

atheio · ‎06-16-2022

Sorry, I think I am muddying the water. Here is a diagram of the setup. Do I need to add ise01.client.com and ise02.client.com to the SAN fields?

ahollifield · ‎06-16-2022

Yes, the FQDN/hostname of the individual ISE Server (or a wildcard) must be in the SAN field.

FYI, your screenshot includes the actual DNS name of the ISE node. You may want to blank that out for privacy.

atheio · ‎06-17-2022

I identified the issue. The wrong cert was purchased. We ordered a basic, when we needed a wildcard, that was why "www." was getting auto-populated in the SAN field. Thank you all for your help!