topic Re: ISE 2.4 generate CSR for renew multi-use public certificate in Network Access Control

ISE 2.4 generate CSR for renew multi-use public certificate

haltong — Mon, 11 Mar 2019 08:48:36 GMT

Hi all

I tried use ISE to generate CSR for customer renew their public signed certificate, when i choose all nodes of checkbox, it will generate CSR for each node, so when i download it i saw multiple CSR, is it correct?

Subject field
• CN=ise.abcde.com
• OU=IT
• O=ABCDE
• L=Hong Kong
• C=HK

Subject Alternative Name (SAN) field
• DNS Name: ise.abcde.com
• DNS Name: ise01.abcde.com
• DNS Name: ise02.abcde.com
• DNS Name: ise03.abcde.com

Signature Algorithm
• SHA256

Key Length
• 2048

Re: ISE 2.4 generate CSR for renew multi-use public certificate

andrewswanson — Thu, 23 Aug 2018 08:07:50 GMT

I recently done a similar csr for a 5 node 2.3 deployment - when you choose "all nodes" a csr is created for all nodes.

As my csr was for a single certificate for all 5 nodes (cn=radius.example.com with the 5 node's hostnames as SANs) I submitted 1 of these csrs to be signed. When I got the signed certificate back I imported it and bound it to the ISE node the csr came from.

I then exported this certificate/key and imported it onto the other ISE nodes.

Cheers
Andy

Re: ISE 2.4 generate CSR for renew multi-use public certificate

haltong — Tue, 28 Aug 2018 17:24:17 GMT

Hi Andy,

Thanks for information, seems rest of the CSRs is not necessary from your experience.

Did you also renew existing public certificate?

Re: ISE 2.4 generate CSR for renew multi-use public certificate

andrewswanson — Tue, 28 Aug 2018 21:10:15 GMT

Originally, the ISE nodes each had a separate certificate with unique cn e.g. ise-psn.example.com which was used for EAP/admin. The new single certificate with cn=radius.example.com (with all the ISE nodes hostnames as SANs) replaced all the old certificates so it wasn't technically a certificate renewal.

Cheers

Andy