Certificate Matching in Cisco ISE-PIC
When you set up Cisco ISE-PIC nodes in a deployment, the nodes communicate with each other. The system checks the FQDN of each Cisco ISE-PIC node to ensure that they match (for example ise1.cisco.com and ise2.cisco.com or if you use wildcard certificates then *.cisco.com). In addition, when an external machine presents a certificate to a Cisco ISE-PIC server, the external certificate that is presented for authentication is checked (or matched) against the certificate in the Cisco ISE-PIC server. If the two certificates match, the authentication succeeds.
Cisco ISE-PIC checks for a matching subject name as follows:
Cisco ISE-PIC looks at the subject alternative name extension of the certificate. If the subject alternative name contains one or more DNS names, then one of the DNS names must match the FQDN of the Cisco ISE node. If a wildcard certificate is used, then the wildcard domain name must match the domain in the Cisco ISE node’s FQDN.
If there are no DNS names in the subject alternative name, or if the subject alternative name is missing entirely, then the common name in the Subject field of the certificate or the wildcard domain in the Subject field of the certificate must match the FQDN of the node.
If no match is found, the certificate is rejected.