ISE certificates

Hi;

 

I'm working on ISE to learn certificate management on it. I completed the process by binding a certificate to previously generated CSR. I chose "EAP Authentication" and "Portal" as the new certificate usage while doing binding task on ISE. then I decided to include "Admin" as its usage to to be able to use the new CA while accessing the ISE through my PC browser. but the following Error message appears:

 

"Certificate must contain the FQDN 'cisco-ise.eb.com.tr' or a matching wildcard in the common name (CN) component of Subject field."

 

I reviewed the details and found that I set the CN to "ise.test.com" while the node hostname was "cisco-ise.test.com". then I tried to generate another CSR with the CN set to "cisco-ise.test.com" in order to use it in "admin" usage, but this time another error message was shawn as follows:

 

"You are attempting to generate a CSR whose subject matches the subject of an existing certificate on the same node. This is only permitted when you are replacing a certificate of the same role. Note that the subject is the concatenation of several fields (for example, CN, O, OU, etc.) You can create a unique subject by varying the values in these fields."

 

what can I do?

 

Comments

  • We had similar problems and resolved it by re-generating the certs and populated the Subject Alternate Name with used variations of the fqdn and the IP addresss. There's a write up online by Aaron Woland with Cisco on how best to do this. I think you should find that online and follow it verbatim.

    Sent from my iPhone

    On Oct 27, 2016, at 5:34 AM, timaz <bounce-timaz@ieoc.com> wrote:

    Hi;

     

    I'm working on ISE to learn certificate management on it. I completed the process by binding a certificate to previously generated CSR. I chose "EAP Authentication" and "Portal" as the new certificate usage while doing binding task on ISE. then I decided to include "Admin" as its usage to to be able to use the new CA while accessing the ISE through my PC browser. but the following Error message appears:

     

    "Certificate must contain the FQDN 'cisco-ise.eb.com.tr' or a matching wildcard in the common name (CN) component of Subject field."

     

    I reviewed the details and found that I set the CN to "ise.test.com" while the node hostname was "cisco-ise.test.com". then I tried to generate another CSR with the CN set to "cisco-ise.test.com" but this time another error message was shawn as follows:

     

    "You are attempting to generate a CSR whose subject matches the subject of an existing certificate on the same node. This is only permitted when you are replacing a certificate of the same role. Note that the subject is the concatenation of several fields (for example, CN, O, OU, etc.) You can create a unique subject by varying the values in these fields."

     

    what can I do?

     




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • We had similar problems and resolved it by re-generating the certs and populated the Subject Alternate Name with used variations of the fqdn and the IP addresss. There's a write up online by Aaron Woland with Cisco on how best to do this. I think you should find that online and follow it verbatim.

     

    Hi;

     

    any chance to have that link or a short note about how you fixed that issue?; cause I didn't manage to find that doc. tnx.

  • Hi Timaz

    Here's the link that helped solve our problem:


    Sent from my iPhone

    On Oct 31, 2016, at 1:00 AM, timaz <bounce-timaz@ieoc.com> wrote:

    image olushile:
    We had similar problems and resolved it by re-generating the certs and populated the Subject Alternate Name with used variations of the fqdn and the IP addresss. There's a write up online by Aaron Woland with Cisco on how best to do this. I think you should find that online and follow it verbatim.

     

    Hi;

     

    any chance to have that link or a short note about how you fixed that issue?; cause I didn't manage to find that doc. tnx.




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • I didn't find the doc you had said, but read some docs from the Cisco.com and managed to solve the issue. I checked the Allow Vildcard Certificate checkbox in the CSR page on ISE, typed anyname for CN and put the actual ISE hostname in the SAN DNS field. then imported the root CA from the win cert server onto my PC and everything went OK this time. thanks for your reply "olushile". 

  • Sorry Timaz. I did respond with the URL but it just got approved by IEOC

    Sent from my iPhone

    On Oct 31, 2016, at 6:28 AM, timaz <bounce-timaz@ieoc.com> wrote:

    I didn't find the doc you had said, but read some docs from the Cisco.com and managed to solve the issue. I checked the Use Vildcard checkbox in the CSR page on ISE, typed anyname for CN and put the actual ISE hostname in the SAN DNS field. then imported the root CA from the win cert server onto my PC and everything went OK this time. thanks for your reply "olushile". 




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • Hi Olushile,

      Your post got pulled aside for manual review due to the number of URL links it contained (1 in your own writing and 3 in the quoted post).  Even if you are unmoderated (you are not moderated), if you go above some thresholds a post will require moderation.  In the future, removing any unneeded URLs will prevent this from happening. 

    It is a constant battle to prevent spam posts while keeping the forums open to new users and unfortunatly tweaking the forums spam engine does tag more legitimate posts. 

    Sincerely,

     

     

     

     

Sign In or Register to comment.