Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2726
Views
0
Helpful
3
Replies

ISE 2.0 , You can use a single certificate for multiple services, but doing so is not a recommended practice.

Go to solution
Gaurav Sharma
Cisco Employee
Cisco Employee

‎03-28-2016 12:20 PM

While generating the CSR you have an option to generate it for multi-use certificate  and then there is a warning which says "Its not recommended practice" can I get more explanation on why is this feature even added to ISE if it is not recommended ?

I am trying to use a single certificate with multiple SAN names for different purpose  , Is this Possible  ? If so , what are the implications of using multi-use certificate as its not a recommended practice ?

- Gaurav Sharma

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎03-28-2016 12:57 PM

Gaurav,

You can generate a CSR with multiple SANs for use throughout your deployment which is a supported configuration.  This functionality, for example, will allow you to use a single certificate across multiple PSNs for portal use.  On the other hand, a multi-use certificate has all the functions of Admin, Portal, PxGrid, and EAP authentication.  Best practice recommends having a certificate for each one of these functions.  We give the administrator to do so in case the installation is for lab use only.  That way, tons of certificates won't be required to test out all features.

Regards,

-Tim

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎03-28-2016 12:57 PM

Gaurav,

You can generate a CSR with multiple SANs for use throughout your deployment which is a supported configuration.  This functionality, for example, will allow you to use a single certificate across multiple PSNs for portal use.  On the other hand, a multi-use certificate has all the functions of Admin, Portal, PxGrid, and EAP authentication.  Best practice recommends having a certificate for each one of these functions.  We give the administrator to do so in case the installation is for lab use only.  That way, tons of certificates won't be required to test out all features.

Regards,

-Tim

0 Helpful

Go to solution
Gaurav Sharma
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎03-28-2016 01:16 PM

Thanks Tim !

Do we still have to select "Multi-Use" option for CSR when using the same certificate with multiple SANs .

This certificate would be used as Portal-Certificate and Admin-Cert .

- Gaurav Sharma

0 Helpful

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee
In response to Gaurav Sharma

‎03-28-2016 01:24 PM

Gaurav,

No, you don't need to select multi-use to add multiple SANs.  If you are going to use the certificate for portals as well as the admin portal, then you would have to select multi-use.  Is there a reason you would want to use the same certificate on portals as well as the admin interface?  The Admin interface is only used by administrators where as guest portals are server to clients the would throw and error if the SSL certificate isn't signed by a trusted root authority.

Regards,

-Tim

0 Helpful
Customers Also Viewed These Support Documents