Much like Jan said, you will also need the password for the private key. You can not generate multiple san (or dns names) using the built in CSR tool on the ISE portal. Here is a guide that should help you build the csr with the additional names:

http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bd0953.shtml

Thanks,

Tarik Admani
*Please rate helpful posts*

ISE software also uses openssl. Though upto ISE 1.1.x interface does not provide with a field for SAN (Subject Alternative Name), but it should support wildcard certificates. It is just the interface that does not facilitate certificate and CSR generation. So we need to generate the certificate and CSR by explicit use of openssl

As far as wildcard certificate support is concerned, ISE 1.2 would definitely support this feature. This is confirmed

Hello all,

I am in the process of a new 1.2 ISE deployment and have  come across an isue with the wildcard cert and generating the CSR. I  have also spoken with TAC and they are telling me the same thing I am  reading in the Cisco DOC so am missing somethng somewhere.

I  am being told that ISE REQUIRES a FQDN for the CN and then you place  the wildcard in the SAN. I cannot use the wildcard in the CN field. So far two different CA providers are tellng me  I  cannot generate a wild card certificate this way. How has anyone  else gotten this to work. When I pressed TAC I was told it would  probably work with the CN containing the wildcard but there have been  reported issues specifically with microsoft clients.  Considering the  cost of the cert is several hundred dollars I do not want to be wrong.

Brent

The CN has to be in the certificate field, I do not know how you can get passed this requirement. The wording for wildcard certificates in ISE is a little misleading. In most environments when you use wildcard certs and the server accepts them. ISE does a validation check that the CN of the certificate must match the fqdn configured during setup.

The reason for this is that ISE uses certificate authentication to join all ISE nodes, so if there were a true wildcard certificate you could never get the nodes to register to one another.

You will have to generate a CSR with the CN of the fqdn of ISE and the SAN set to a widcard name.

Tarik Admani
*Please rate helpful posts*

Tarik,

There in lies the issue. So far all the CAs we have tried REQUIRE the asterisk be in the CN yet Cisco is requiring FQDN for CN with the asterisk in the SAN. Am I trying t acquire the wrond certificate type? Do I need to acquire a different type of certificate than what is called a "wildcard" certificate or a different CA where this actually works.

Brent

Not to be picky but this was written back in 2012 so I figure for an earlier version of ISE? I am running the new 1.2 and want to make sure this will work since I do not want to buy a certificate then find out afterwords it is still the wrong one.

I have installed ISE version 1.2 several times using this method.  Use a generic name in the CN field,ie.  ise.xyz.com.  In the SAN DNS field add ise.xyz.com and *.xyz.com.  There are a few companies now that will build a wildcard certificate this way.  You are looking for a "UCC" type cert.  I have used Comodo and ssl.com in the past with no issues.