in
IEOC CCIE Forums

IEOC - INE's Online Community

Welcome to INE's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, Wireless,, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and INE's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, and Mark Snow - Dual CCIE #14073.
Latest post 11-01-2016 3:51 PM by mhughes@ine.com. 6 replies.
Page 1 of 1 (7 items)
Sort Posts: Previous Next
  • 10-27-2016 5:32 AM

    • timaz
    • Top 75 Contributor
    • Joined on 07-04-2009
    • turkey, ankara
    • Elite
    • Points 6,960

    ISE certificates

    Hi;

     

    I'm working on ISE to learn certificate management on it. I completed the process by binding a certificate to previously generated CSR. I chose "EAP Authentication" and "Portal" as the new certificate usage while doing binding task on ISE. then I decided to include "Admin" as its usage to to be able to use the new CA while accessing the ISE through my PC browser. but the following Error message appears:

     

    "Certificate must contain the FQDN 'cisco-ise.eb.com.tr' or a matching wildcard in the common name (CN) component of Subject field."

     

    I reviewed the details and found that I set the CN to "ise.test.com" while the node hostname was "cisco-ise.test.com". then I tried to generate another CSR with the CN set to "cisco-ise.test.com" in order to use it in "admin" usage, but this time another error message was shawn as follows:

     

    "You are attempting to generate a CSR whose subject matches the subject of an existing certificate on the same node. This is only permitted when you are replacing a certificate of the same role. Note that the subject is the concatenation of several fields (for example, CN, O, OU, etc.) You can create a unique subject by varying the values in these fields."

     

    what can I do?

     

    Timaz Mohsenzadeh

    TCPuniverse.com

    Ciscoworlds@gmail.com

    • Post Points: 20
  • 10-27-2016 6:44 AM In reply to

    Re: ISE certificates

    We had similar problems and resolved it by re-generating the certs and populated the Subject Alternate Name with used variations of the fqdn and the IP addresss. There's a write up online by Aaron Woland with Cisco on how best to do this. I think you should find that online and follow it verbatim.

    Sent from my iPhone

    On Oct 27, 2016, at 5:34 AM, timaz <bounce-timaz@ieoc.com> wrote:

    Hi;

     

    I'm working on ISE to learn certificate management on it. I completed the process by binding a certificate to previously generated CSR. I chose "EAP Authentication" and "Portal" as the new certificate usage while doing binding task on ISE. then I decided to include "Admin" as its usage to to be able to use the new CA while accessing the ISE through my PC browser. but the following Error message appears:

     

    "Certificate must contain the FQDN 'cisco-ise.eb.com.tr' or a matching wildcard in the common name (CN) component of Subject field."

     

    I reviewed the details and found that I set the CN to "ise.test.com" while the node hostname was "cisco-ise.test.com". then I tried to generate another CSR with the CN set to "cisco-ise.test.com" but this time another error message was shawn as follows:

     

    "You are attempting to generate a CSR whose subject matches the subject of an existing certificate on the same node. This is only permitted when you are replacing a certificate of the same role. Note that the subject is the concatenation of several fields (for example, CN, O, OU, etc.) You can create a unique subject by varying the values in these fields."

     

    what can I do?

     




    INE - The Industry Leader in CCIE Preparation
    http://www.INE.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx
    • Post Points: 35
  • 10-31-2016 12:58 AM In reply to

    • timaz
    • Top 75 Contributor
    • Joined on 07-04-2009
    • turkey, ankara
    • Elite
    • Points 6,960

    Re: ISE certificates

    olushile:
    We had similar problems and resolved it by re-generating the certs and populated the Subject Alternate Name with used variations of the fqdn and the IP addresss. There's a write up online by Aaron Woland with Cisco on how best to do this. I think you should find that online and follow it verbatim.

     

    Hi;

     

    any chance to have that link or a short note about how you fixed that issue?; cause I didn't manage to find that doc. tnx.

    Timaz Mohsenzadeh

    TCPuniverse.com

    Ciscoworlds@gmail.com

    • Post Points: 20
  • 10-31-2016 3:54 AM In reply to

    Re: ISE certificates

    Hi Timaz

    Here's the link that helped solve our problem:


    Sent from my iPhone

    On Oct 31, 2016, at 1:00 AM, timaz <bounce-timaz@ieoc.com> wrote:

    olushile:
    We had similar problems and resolved it by re-generating the certs and populated the Subject Alternate Name with used variations of the fqdn and the IP addresss. There's a write up online by Aaron Woland with Cisco on how best to do this. I think you should find that online and follow it verbatim.

     

    Hi;

     

    any chance to have that link or a short note about how you fixed that issue?; cause I didn't manage to find that doc. tnx.




    INE - The Industry Leader in CCIE Preparation
    http://www.INE.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx
    • Post Points: 5
  • 10-31-2016 6:28 AM In reply to

    • timaz
    • Top 75 Contributor
    • Joined on 07-04-2009
    • turkey, ankara
    • Elite
    • Points 6,960

    Re: ISE certificates

    I didn't find the doc you had said, but read some docs from the Cisco.com and managed to solve the issue. I checked the Allow Vildcard Certificate checkbox in the CSR page on ISE, typed anyname for CN and put the actual ISE hostname in the SAN DNS field. then imported the root CA from the win cert server onto my PC and everything went OK this time. thanks for your reply "olushile". 

    Timaz Mohsenzadeh

    TCPuniverse.com

    Ciscoworlds@gmail.com

    • Post Points: 20
  • 10-31-2016 1:19 PM In reply to

    Re: ISE certificates

    Sorry Timaz. I did respond with the URL but it just got approved by IEOC

    Sent from my iPhone

    On Oct 31, 2016, at 6:28 AM, timaz <bounce-timaz@ieoc.com> wrote:

    I didn't find the doc you had said, but read some docs from the Cisco.com and managed to solve the issue. I checked the Use Vildcard checkbox in the CSR page on ISE, typed anyname for CN and put the actual ISE hostname in the SAN DNS field. then imported the root CA from the win cert server onto my PC and everything went OK this time. thanks for your reply "olushile". 




    INE - The Industry Leader in CCIE Preparation
    http://www.INE.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx
    • Post Points: 20
  • 11-01-2016 3:51 PM In reply to

    Re: ISE certificates

    Hi Olushile,

      Your post got pulled aside for manual review due to the number of URL links it contained (1 in your own writing and 3 in the quoted post).  Even if you are unmoderated (you are not moderated), if you go above some thresholds a post will require moderation.  In the future, removing any unneeded URLs will prevent this from happening. 

    It is a constant battle to prevent spam posts while keeping the forums open to new users and unfortunatly tweaking the forums spam engine does tag more legitimate posts. 

    Sincerely,

     

     

     

     

    Matthew Hughes
    Data Center Manager
    mhughes@ine.com
    Http://www.ine.com

    • Post Points: 5
Page 1 of 1 (7 items)
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved