https://community.cisco.com/t5/network-access-control/certificate-template-for-ise-csr/m-p/2023667#M163143 <HTML><HEAD></HEAD><BODY><P>If you are going to use an inline node in your deployment, then my suggestions (along with experience) is to use a template that has the EKU for both client authentication and server authentication. The documentation clearly states this in the 1.1.1 release notes.</P><P></P><P>If you want to generate this type of cert then your best bet is to clone the Computer Template and allow web enrollment.</P><P></P><P>Thanks,</P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Mon, 22 Oct 2012 02:42:36 GMT Tarik Admani 2012-10-22T02:42:36Z https://community.cisco.com/t5/network-access-control/certificate-template-for-ise-csr/m-p/2023666#M163139 <P>Hi, </P><P></P><P>I would like to know about these on ISE CSR case. My business requreiment is </P><P>case 1: one primary node register one secondary node</P><P>case 2: one primary node register one inline posture node</P><P></P><P>I have a enterprise CA running on window server 2008 R2. so i not intend to use any self-signed certificate. </P><P></P><P>quesiton</P><P></P><P>1. what is the certificate template should i use when i try to submit my CSR request? For both case</P><P></P><P>2. For both case end result, how should the local certificate and certificate store look like (ISE running on VER1.1.1)? </P><P></P><P>3. should i do any convert on the microsfot based certificate in .cer extention to .pem, using openSSL?</P><P></P><P>Million Thanks</P><P></P><P>Noel</P> Mon, 11 Mar 2019 02:42:01 GMT https://community.cisco.com/t5/network-access-control/certificate-template-for-ise-csr/m-p/2023666#M163139 yong khang NG 2019-03-11T02:42:01Z https://community.cisco.com/t5/network-access-control/certificate-template-for-ise-csr/m-p/2023667#M163143 <HTML><HEAD></HEAD><BODY><P>If you are going to use an inline node in your deployment, then my suggestions (along with experience) is to use a template that has the EKU for both client authentication and server authentication. The documentation clearly states this in the 1.1.1 release notes.</P><P></P><P>If you want to generate this type of cert then your best bet is to clone the Computer Template and allow web enrollment.</P><P></P><P>Thanks,</P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Mon, 22 Oct 2012 02:42:36 GMT https://community.cisco.com/t5/network-access-control/certificate-template-for-ise-csr/m-p/2023667#M163143 Tarik Admani 2012-10-22T02:42:36Z https://community.cisco.com/t5/network-access-control/certificate-template-for-ise-csr/m-p/2023668#M163147 <HTML><HEAD></HEAD><BODY><P>Hi Tarik, </P><P></P><P>your statement is it mean that both Primary node and Inline Posture node need to use the certificate template that has the EKU for both client authenticatio and server authentication? </P><P></P><P>But i am sure that there's no computer to be select at the web enrollment, when i trying to submit the request at \certsrv.</P><P></P><P>If what if i able to use web server template to have both EKU select on the extention, would it be able to be use? As i fulfill the requirement of EKU for both client authenticaiton and server authetnicaiton. </P><P></P><P>Furthermore,&nbsp; i found this statement from Cisco documentation </P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ipep_deploy.html#wp1110248">http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ipep_deploy.html#wp1110248</A></P><P></P><P>it mentioned:</P><P>The following combinations are recommended for the Administration certificate:</P><P>– Both EKU attributes should be disabled, if both EKU attributes are disabled in the Inline Posture certificate, or both EKU attributes should be enabled, if the server attribute is enabled in the Inline Posture certificate.</P><P></P><P>The following combinations are recommended for the Inline Posture certificate:</P><P> –Both EKU attributes should be disabled, or both should be enabled, or the server attribute alone should be enabled.</P><P></P><P>I am really confused now.</P><P></P><P>looking forward on your reply..thanks</P></BODY></HTML> Mon, 22 Oct 2012 03:10:04 GMT https://community.cisco.com/t5/network-access-control/certificate-template-for-ise-csr/m-p/2023668#M163147 yong khang NG 2012-10-22T03:10:04Z