An engineer completes the setup of a two-node Cisco ISE deployment for a guest portal. When testing the portal, the engineer notices that sometimes there is a certificate CN mismatch. Which certificate type helps resolve this issue?
Public-Signed SAN Certificate:
A SAN (Subject Alternative Name) certificate allows multiple domain names to be included in a single certificate. This ensures that the certificate matches the FQDN used to access the guest portal, even if the portal is accessed via different URLs or hostnames. Public-signed certificates are also trusted by default by most browsers and devices, avoiding trust issues.
Why not the other options?:
A. Public-Signed Root:
A public-signed root certificate is used to establish trust for other certificates but does not directly resolve CN mismatch issues for the guest portal.
C. Self-Signed Wildcard:
A self-signed wildcard certificate can cover multiple subdomains (e.g., *.example.com), but it is not trusted by default by browsers and devices, leading to potential trust issues. It also does not address FQDN mismatches if the portal is accessed via a specific domain name.
D. Self-Signed Standard:
A self-signed standard certificate is not trusted by default and is limited to a single CN, making it unsuitable for resolving CN mismatch issues.
Public-Signed SAN certificates allow multiple domain names to be included in a single certificate, which helps resolve the CN (Common Name) mismatch issue.
"Two-node Cisco ISE deployment." "A Subject Alternate Name (or SAN) certificate is a digital security certificate which allows multiple hostnames to be protected by a single certificate."
bad wording of question !
public signed machine certificate with lots of SANs is possible. (SANs for server 1, server 2, portal 1, portal2, portal3). I have been using THIS for years in an two node installation. Best solution.
public signed wilcard certificates are also possible. 2nd best solution
self signed wilcard certificates are possible. lab solution only
A SAN is a field in a certificate (!). From my understanding no Public-Signed SAN can exist.
Using a self-signed cert for a guest portal would cause SSL errors as guests would not have a trust relationship. Additionally, using wildcart certs is terrible security practice in general. You absolutely must use a public signed cert for guest purposes, and if you need more than one FQDN for the cert then you utilize the SAN (subject alternative name) field.
B is the correct answer.
I think that C is the correct answer.
For the Guest portal, a self-signed certificate is not a case you need a public one.
The following article explains the error and says that SAN has not been included in the certificate
https://www.globalsign.com/en/blog/what-is-common-name-mismatch-error
Mistyped. I think that B is the correct answer, not C
upvoted 5 times
...
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
rrahim
6 days ago[Removed]
4 months, 2 weeks agoKlimy
6 months, 1 week agoAhcMez
6 months, 4 weeks agopeer1024
8 months, 1 week agoPauBau
10 months, 3 weeks agoitapase0314
1 year, 1 month agosomeguy8921
1 year, 1 month agoYod_Jjot
1 year, 4 months agoYod_Jjot
1 year, 4 months ago