topic Hello Jatin. Thanks for the in Network Access Control

cisco ise 1.2 install certificates for ise cluster question

west33637 — Mon, 11 Mar 2019 04:40:06 GMT

hello all i have an ise cluster of 4 devices. 1 primary admin/secondary monitor, 1 secondary admin/primary admin and 2 policy nodes

i need to install public CA certs on them. can I generate 1 CSR on one of the nodes, that includes a SAN with the DNS names of all the nodes?

Therefore get only 1 cert from the CA, and export and import the same cert into all the other nodes?

or do i have to generate 1 CSR for each node and purchase 4 certs? Wild card certs is not an option. tHANKS,

ISE allows you to install a

Jatin Katyal — Fri, 25 Apr 2014 06:57:17 GMT

ISE allows you to install a certificate with multiple Subject Alternative Name (SAN) fields. A browser reaching the ISE using any of the listed SAN names will accept the certificate without any error as long as it trusts the CA that signed the certificate.

The CSR for such a certificate cannot be generated from the ISE GUI. http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/113675-ise-binds-multi-names-00.html

Cisco ISE checks for a matching subject name as follows:

1. Cisco ISE looks at the subject alternative name (SAN) extension of the certificate. If the SAN contains one or more DNS names, then one of the DNS names must match the FQDN of the Cisco ISE node. If a wildcard certificate is used, then the wildcard domain name must match the domain in the Cisco ISE node's FQDN.

2. If there are no DNS names in the SAN, or if the SAN is missing entirely, then the Common Name (CN) in the Subject field of the certificate or the wildcard domain in the Subject field of the certificate must match the FQDN of the node.

3. If no match is found, the certificate is rejected.

Regards,

Jatin Katyal

*Do rate helpful posts*

Yes, I agree with Jatin.

Saurav Lodh — Fri, 25 Apr 2014 07:52:47 GMT

Yes, I agree with Jatin. Please see what SAN is and how it is useful

The Subject Alternative Name field :

Subject Alternative Names let you protect multiple host names with a single SSL certificate.

Subject Alternative Names allow you to specify a list of host names to be protected by a single SSL certificate.
Secure host names on different base domains in one SSL Certificate. A wildcard certificate can protect all first-level subdomains on an entire domain, such as *.example.com. But a wildcard cannot protect both www.example.com and www.example.net.

Hello Jatin. Thanks for the

west33637 — Fri, 25 Apr 2014 14:45:00 GMT

Hello Jatin. Thanks for the response. It was very helpful. You mentioned that the CSR cannot be generated from the ISE GUI. I believe that in 1.2 you can add the SAN DNS to the CSR in the GUI.

Im not sure if that document is referring to an older version? Can you confirm this? Thanks.

Yes, you're correct. The

Jatin Katyal — Fri, 25 Apr 2014 14:57:05 GMT

Yes, you're correct. The document was created prior to ISE 1.2. You can generate CSR from the ISE GUI and add SAN.

Regards,

Jatin Katyal

*Do rate helpful posts*