I have run into he same situation with public CAs. I need two separate certs, a public https one and an internal EAP one, each on a different domain. Is this possible? if so how do you generate the certs for two different domains? The public one is straight ford as it will have the correct domain on configure on the ISE node. However for the EAP cert how will an internal PKI react to a CSR generated by a box on a different domain?

Recently I had a conversation with the TAC engineer. And the outcome seemed positive. The outcome from that conversation was the following:

- Https wild card certificate from Public issuer with example.org.au 
- CLI change on ISE nodes to change their domain to org.au
- The company DNS must be able to resolve the ISE FQDN node names with example.org.au. For example - ISE01.example.org.au. 
- The EAP certificate can be issued from the legacy Corporate PKI with a domain of example.local

However in a response to the same question the account team have said:

In response to checking if ISE can deployed with multiple domain certificates such as for http management on example.org and EAP on example.internal.org

The reason why this is not possible is because for installing a certificate in ISE you need to pass few conditions - 

"Cisco ISE checks for a matching subject name as follows:

1.Cisco ISE looks at the subject alternative name (SAN) extension of the certificate. If the SAN contains one or more DNS names, then one of the DNS names must match the FQDN of the Cisco ISE node. If a wildcard certificate is used, then the wildcard domain name must match the domain in the Cisco ISE node’s FQDN.

2.If there are no DNS names in the SAN, or if the SAN is missing entirely, then the Common Name (CN) in the Subject field of the certificate or the wildcard domain in the Subject field of the certificate must match the FQDN of the node.

3.If no match is found, the certificate is rejected."

It sounds like you are trying to put two certs on the one box is that correct? 1 for HTTPs and one for EAP? If so I don't think you need too. Basically the server certificate can be used for both HTTPS (management portals etc) and for EAP. When the tick box for EAP is ticked you have to realise this isn't been used for the AAA component but to secure the tunnel for the AAA stuff. In terms of authenticating the actual user certificates you basically need to have the issuing roots and subs in the cert store with trust for EAP enabled.

Correct two certs. The reason is the public CA's won't sign a wildcard .local cert anymore. Our client has a .local internal domain for users, AD etc. so I need a eap cert for .local generated from their PKI and separate public signed cert example.org domain for http cert.

If this combination is not possible I will use a cert with lots of SAN entries as the public CA's will still do these.

Is this a distributed deployment? In all my deployments I am using either a wildcard/SAN public certificate for my PSNs and using internal PKI for the admin and monitoring. Bascially the PSNs have a public domain name and the admin and monitoring have an internal domain name.

Bascially what I am getting at is there is no requirement for an internal server certificate on the PSN to support EAP connections from an internal domain - the public server cert will do the job just fine - all you have to do is make sure the issuing servers are selected if you are validating the server certificate on the clinet machine. The server certificate itself is utilised to create a tunnel and does not impact the ability of a client to authenticate.

If I am not understanding your concern my apologies.