When guests are redirected to a Canonical Name Record (CNAME) for Cisco
Identity Services Engine (ISE) or sponsors are given a short URL in order to
reach the sponsor portal on ISE, they get a certificate error. This document
provides a solution to this problem.
You will need to complete this procedure if:
You want to redirect guests to a generic URL such as
guests.yourdomain.com instead of ise.yourdomain.com
You want to redirect sponsors to a generic URL such as
sponsors.yourdomain.com instead of ise.yourdomain.com
This document is not restricted to specific software and hardware
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Technical Tips Conventions for more information on document
ISE allows only a single certificate to be installed for Management
purposes. This certificate is used for all HTTP sessions terminating on ISE,
including guest and sponsor sessions. Since the Subject Name of the certificate
has to contain the hostname of ISE, all guest sessions will need to be
redirected to the hostname of ISE. This is sometimes not desirable for security
or other reasons. The general way to get around this is to use a wildcard
certificate. However, ISE does not support that workaround.
This document describes how to create a certificate for ISE that maps
to multiple DNS names.
ISE allows you to install a certificate with multiple Subject
Alternative Name (SAN) fields. A browser reaching the ISE using any of the
listed SAN names will accept the certificate without any error as long as it
trusts the CA that signed the certificate.
The CSR for such a certificate cannot be generated from the ISE GUI.
You will need to use openSSL in order to generate the certificate.
Complete these steps:
On a host where openSSL is installed, create a configuration file
with the following content. In this example, we will name it my-csr.cnf
[ req ]
default_bits = 1024
default_keyfile = privatekey.pem
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
commonName = Common Name (eg, YOUR name)
commonName_max = 100
[ req_ext ]
subjectAltName = @alt_names
DNS.1 = <FQDN of ISE>
DNS.2 = sponsor.<yourdomain>
DNS.3 = guest.<yourdomain>
In the configuration file:
DNS.1 and commonName should be the same.
Modify the DNS.2 and DNS.3 as required.
You can add more SANs as DNS.4, DNS.5, and so on.
Do not change the value of commonName in the configuration file.
The actual commonName will be set in the next
Generate the CSR using this command:
openssl req -new -nodes -out newise.csr -config csr.cnf
You will be prompted to enter the commonName for the certificate and
then the command will create two files - newise.csr and privatekey.pem. The
first file contains the CSR that can be used by the CA in order to generate a
Once you have the certificate file, verify the SAN fields using the
following command. For this example, the certificate filename is assumed to be
openssl x509 -text -in my-newise-cert.pem
In the output of the above command, look for output similar
Version: 3 (0x2)
X509v3 Subject Alternative Name:
X509v3 Basic Constraints:
X509v3 Key Usage:
Digital Signature, Key Encipherment
Once verified, use the certificate file and the privatekey.pem file
in order to add the certificate and private key file to ISE. Complete these
steps in order to add them:
In the ISE GUI, go to Administration >
Certificates > Local
Click Add, and choose Import Local Server
In the Certificate File field, choose the certificate file
generated by the CA.
In the Private Key File field, choose the privatekey.pem file
In the Protocol section, choose Management Interface: Use
certificate to authenticate the web server (GUI).