Hello,

I have Two Cisco ISE nodes working in Cluster as Primary and Secondary: node1.company.local and node2.company.local. These have their local DNS record:

node1.company.local = 10.10.100.11

node1.company.local = 10.10.100.12

Because of two nodes, I have two public domains:

guest1.company.com = 1.1.1.1

guest2.company.com = 2.2.2.2

I used both public domains in each public cert for each node. 

for example:

Cert1 (for node 1 - Primary)

CN: guest1.company.com

SAN: DNS:guest1.company.com, DNS:guest2.company.com

Cert2 (for node 2 - Secondary)

CN: guest2.company.com

SAN: DNS:guest1.company.com, DNS:guest2.company.com

Going forward my internal Cert team suggesting I can use same cert on both the nodes as it has both public domains in the SAN regardless of CN.

Could you please help me if it's true? Can this be worked if I failover from primary node to secondary and cert would work seemlessly? Technically, I think it should work but I have never tested it.

Regards,

B

Note: Something similar is mentioned here: Cisco ISE - Renew Public Certificate for Guest Portal - Cisco Community

and Solved: ISE Guest portal public certificate - Cisco Community