ISE Annual Certificate Renewal

Project Summary

Annual renewal of the ISE multi-purpose wildcard certificate used for Admin GUI, Guest/Sponsor Portal, EAP authentication (802.1X), and pxGrid. The certificate uses a specific FQDN in the CN (e.g., access2.ise.chla.org) with a wildcard in the SAN (.ise.chla.org). This structure is mandatory — Windows native supplicants reject wildcard certificates where the appears in the Subject CN field during 802.1X EAP authentication.

Why the CN Cannot Be a Wildcard

Windows supplicants reject * in the Subject CN for EAP authentication. This is a known Microsoft behavior — even with "Validate Server Identity" disabled, the SSL/TLS handshake fails when the CN contains a wildcard. Cisco documents this explicitly and tracks it as CSCuh22029.

The fix: Use a real FQDN in CN, put the wildcard only in SAN DNS Name.

  • CN=access2.ise.chla.org + SAN: DNS:*.ise.chla.org — works

  • CN=*.ise.chla.org — Windows EAP auth fails silently

Some CAs auto-populate the CN with the wildcard from the SAN even if your CSR doesn’t include it. You must explicitly request they do NOT do this.

Certificate Structure

Field Value

Subject CN

access2.ise.chla.org (arbitrary, specific FQDN — no wildcard)

SAN DNS Names

*.ise.chla.org (wildcard), plus individual node FQDNs as needed

Key Usage

Digital Signature, Key Encipherment

Extended Key Usage

Server Authentication (1.3.6.1.5.5.7.3.1), Client Authentication (1.3.6.1.5.5.7.3.2)

Key Size

2048 or 4096 (confirm current)

Validity

1 year (annual renewal)

Issuer

confirm: CHLASUBCA / external CA

Roles Bound to This Certificate

ISE Role Port Impact If Expired

Admin

443

CRITICAL — admin GUI inaccessible, inter-node trust breaks

EAP Authentication

1812

CRITICAL — all 802.1X auth fails, endpoints disconnect

Portal (Guest/Sponsor/BYOD)

8443

HIGH — portal cert warnings, BYOD onboarding fails

pxGrid

8910

MEDIUM — SIEM/MDM integrations break, not end-user facing

Phase Summary

Phase Description Status Notes

0: Recon

Inventory current certs, verify expiry, document CA

❌ Not started

1: CSR Generation

Generate CSR via OpenSSL CLI with correct CN/SAN

❌ Not started

NOT via ISE GUI — use OpenSSL

2: CA Submission

Submit CSR to CA, receive signed cert

❌ Not started

Watch for CA auto-adding wildcard to CN

3: Import & Bind

Import signed cert to ISE, bind to all roles

❌ Not started

Maintenance window required

4: Validation

Verify all ports, chain, supplicant connectivity

❌ Not started

5: Monitoring

48h post-renewal failure watch

❌ Not started

DataConnect queries
Field Value

PRJ ID

PRJ-2026-06-ise-annual-cert-renewal

Author

Evan Rosado

Created

2026-06-02

Updated

2026-06-02

Status

Active

Category

Infrastructure / PKI / Certificate Lifecycle

Priority

P0

ISE Version

Production (confirm)

Certificate Type

Wildcard SAN with specific CN

CN Pattern

access2.ise.chla.org (arbitrary FQDN — NOT wildcard)

SAN Pattern

*.ise.chla.org (wildcard in SAN only)

Roles

Admin, Portal, EAP Authentication, pxGrid

CA

confirm: AD CS (CHLASUBCA) / Entrust / other

Cisco Bug Reference

CSCuh22029 — Windows rejects wildcard in CN for EAP