topic ISE Certificate SAN in Network Access Control

ISE Certificate SAN

descalante2007 — Mon, 11 Mar 2019 03:12:02 GMT

My customer is requesting to have a Certificate in ISE to avoid the warning certificate message on sponsor and guest portals. I understood the CSR generated by ISE can't support SAN, so the workaround is using openSSL (something I never heard about before ).

My questions are:

If I'm able to generate the CSR (I hope so), I will need to deliver it to the customer PKI (it is a Microsoft system). I should deliver the CSR and a key or just CSR?

Once the certificate is generated, should I receive just a .cer file?

In accord with the TAC document 113675 (Generate a certificate for ISE that binds to multiple names), I need to Import a Local Server Certificate ... Is that all? I don't need to bind the certificate with a CSR.

Honestly I'm worried about the openSSL, because I don't have an idea how to use it. I will appreciate your replies and any tip about this issue.

Thanks.

Daniel Escalante.

Re:ISE Certificate SAN

jan.nielsen — Thu, 14 Mar 2013 23:55:09 GMT

CSR only for The pki, openssl will generate CSR and private key if you follow The guide. When you
Get The .cer file you import both The .cer and The private key in ise.

Sent from Cisco Technical Support Android App

ISE Certificate SAN

Tarik Admani — Fri, 15 Mar 2013 04:20:21 GMT

Much like Jan said, you will also need the password for the private key. You can not generate multiple san (or dns names) using the built in CSR tool on the ISE portal. Here is a guide that should help you build the csr with the additional names:

http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bd0953.shtml

Thanks,

Tarik Admani
*Please rate helpful posts*

ISE Certificate SAN

askhuran — Fri, 26 Apr 2013 01:19:49 GMT

ISE software also uses openssl. Though upto ISE 1.1.x interface does not provide with a field for SAN (Subject Alternative Name), but it should support wildcard certificates. It is just the interface that does not facilitate certificate and CSR generation. So we need to generate the certificate and CSR by explicit use of openssl

As far as wildcard certificate support is concerned, ISE 1.2 would definitely support this feature. This is confirmed

Re: ISE Certificate SAN

bberry — Tue, 18 Feb 2014 22:29:24 GMT

Hello all,

I am in the process of a new 1.2 ISE deployment and have come across an isue with the wildcard cert and generating the CSR. I have also spoken with TAC and they are telling me the same thing I am reading in the Cisco DOC so am missing somethng somewhere.

I am being told that ISE REQUIRES a FQDN for the CN and then you place the wildcard in the SAN. I cannot use the wildcard in the CN field. So far two different CA providers are tellng me I cannot generate a wild card certificate this way. How has anyone else gotten this to work. When I pressed TAC I was told it would probably work with the CN containing the wildcard but there have been reported issues specifically with microsoft clients. Considering the cost of the cert is several hundred dollars I do not want to be wrong.

Brent

Re: ISE Certificate SAN

Tarik Admani — Tue, 18 Feb 2014 22:54:23 GMT

The CN has to be in the certificate field, I do not know how you can get passed this requirement. The wording for wildcard certificates in ISE is a little misleading. In most environments when you use wildcard certs and the server accepts them. ISE does a validation check that the CN of the certificate must match the fqdn configured during setup.

The reason for this is that ISE uses certificate authentication to join all ISE nodes, so if there were a true wildcard certificate you could never get the nodes to register to one another.

You will have to generate a CSR with the CN of the fqdn of ISE and the SAN set to a widcard name.

Tarik Admani
*Please rate helpful posts*

Re: ISE Certificate SAN

bberry — Wed, 19 Feb 2014 14:27:26 GMT

Tarik,

There in lies the issue. So far all the CAs we have tried REQUIRE the asterisk be in the CN yet Cisco is requiring FQDN for CN with the asterisk in the SAN. Am I trying t acquire the wrond certificate type? Do I need to acquire a different type of certificate than what is called a "wildcard" certificate or a different CA where this actually works.

Brent

Re: ISE Certificate SAN

blenka — Thu, 20 Feb 2014 14:13:42 GMT

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/113675-ise-binds-multi-names-00.html

Re: ISE Certificate SAN

bberry — Thu, 20 Feb 2014 14:38:15 GMT

Not to be picky but this was written back in 2012 so I figure for an earlier version of ISE? I am running the new 1.2 and want to make sure this will work since I do not want to buy a certificate then find out afterwords it is still the wrong one.

Re: ISE Certificate SAN

cgambrel — Thu, 20 Feb 2014 15:55:55 GMT

I have installed ISE version 1.2 several times using this method. Use a generic name in the CN field,ie. ise.xyz.com. In the SAN DNS field add ise.xyz.com and *.xyz.com. There are a few companies now that will build a wildcard certificate this way. You are looking for a "UCC" type cert. I have used Comodo and ssl.com in the past with no issues.