topic I have not yet created the in Network Access Control

Installing wildcard cert on ISE for HTTP/EAP

MMstre — Wed, 13 Mar 2019 00:43:16 GMT

I need to install a wildcard cert on ISE, but have no experience with wildcards. I have the *.domain certificate, but i am not sure of the process, and the Cisco docs add to the confusion. Am i supposed to generate a new CSR to give to the CA, do i simply install the *.domain cert? I have read the install guide and it of course makes the assumption that you know what you're talking about, and when it comes to installing wildcards, i don't know...

Any assistance would be greatly appreciated

Hi,In order to create CSR

Ahmad Murad — Fri, 19 Sep 2014 16:26:55 GMT

Hi,

In order to create CSR file from the ISE using a wildcard certificate, you can do the following:

From the CSR page, enter the CN=*.yourdomain.com

and If you have a specific DNS entry for your ISE like ise1.yourdomain.com under the SAN fields.

Also, you need to check the box of "Allow Wildcard Certificate".

After that, you can generate and export the CSR and submit it to your CA to get the ID certificate (which you will bind it with the CSR).

Also, you need the CA certificate itself to be added on the ISE certificate store.

Thanks.

Ahmad.

I have not yet created the

MMstre — Fri, 19 Sep 2014 17:02:32 GMT

I have not yet created the CSR, and thank you for the instructions. My confusion is this:

I have the actual wildcard cert (*.domain.com cert), along with the CA bundle. I have imported the CA bundle already, but is there anything i should be doing with the *.domain.com cert?

Does it need to be imported, or is it useless? My understanding of a wildcard cert is that the single cert can be installed on whatever you'd like to use it on... or do you still need to go through the CSR process for each application on which you'd like to use it?

Unfortunately, you need first

Ahmad Murad — Sat, 20 Sep 2014 07:40:34 GMT

Unfortunately, you need first to create a CSR with wildcard filed either on the CN or DNS fields, and then you need to sign this CSR from the CA using the exact same values and bind it again to the CSR on the ISE configuration.

If you are already in the

nspasov — Sun, 21 Sep 2014 17:48:40 GMT

If you are already in the possession of the wildcard cert and the private key, then you don't need CSR. You can simply import the certificate in ISE:

1. Go to Administration > Certificates > Local Certificates > Add > Import Server Certificate

2. Use the "browse" buttons to point to the certificate file and private key

3. Check "Allow Wildcard Certificates"

4. Select the protocol that you want to use it for (EAP or HTTPS or both)

5. Hit submit

6. Go to Certificates Store

7. Import the root CA certificate and Intermediate CA certificate(s) (If any)

Thank you for rating helpful posts!

A word of caution. If you are

jan.nielsen — Mon, 29 Sep 2014 03:53:49 GMT

A word of caution. If you are planning to use this cert for 802.1x in BYOD environments you should look into using a SAN cert instead. with all your PSNs in it, wildcard certs are not good for windows machines in e peap/byod scenario, and iOS also has issues with certain wildcard certs.

Re: A word of caution. If you are

m.cucchi — Sun, 08 Oct 2023 10:41:31 GMT

Hi Jan sorry for this question but for my understand:

I have two ISE node

1) PAN PSN MnT name ise1.ise.labdomain.com

2) PAN PSN MnT name ise2.ise.labdomain.com

In the CSR what name i need to PUT in the CN and in the SAN ?

In the SAN i put *.ise.labdomain.com but you mention alse PSN ... Can you explain me this behaviour please ?