Certificate Matching in Cisco ISE-PIC
When you set up Cisco ISE-PIC nodes in a deployment, those two nodes communicate with each other. The system checks the FQDN of each ISE-PIC node to ensure they match (for example ise1.cisco.com and ise2.cisco.com or if you use wild card certificates then *.cisco.com). In addition, when an external machine presents a certificate to an ISE-PIC server, the external certificate that is presented for authentication is checked (or matched) against the certificate in the ISE-PIC server. If the two certificates match, the authentication succeeds.
Cisco ISE-PIC checks for a matching subject name as follows:
Cisco ISE-PIC looks at the subject alternative name (SAN) extension of the certificate. If the SAN contains one or more DNS names, then one of the DNS names must match the FQDN of the Cisco ISE node. If a wildcard certificate is used, then the wildcard domain name must match the domain in the Cisco ISE node’s FQDN.
If there are no DNS names in the SAN, or if the SAN is missing entirely, then the Common Name (CN) in the Subject field of the certificate or the wildcard domain in the Subject field of the certificate must match the FQDN of the node.
If no match is found, the certificate is rejected.