Unable to import a wildcard cert to the PSN

Jozef Cmorej · ‎02-06-2019

Hello,

I would like to import a wildcard cert to one of the PSNs in the DMZ that provides guest access. I can import the cert with the private key to the PAN but not to the rest of the ISE nodes as I cannot select a specific node during the import process.

ISE GUI says:
Wildcard Certificate will be replicated/copied to all nodes in the deployment.
Node selection is hence disabled.

Once I import the certificate to the PAN, I do not see any replication of it to other nodes. Once the guest connects to the guest net, they get still a self-signed cert from the PSN in the DMZ.

I have tried to import the cert to a different portal group tag but it did not work, either.

How can I import the wildcard cert to the specific PSN?

The ISE Deployment:
Version 2.3, distributed environment with several VMs

Thank you.

howon · ‎02-06-2019

You can login to individual node GUI and manage the certificates. If this is just for the guest portal you should be able to simply assign the wildcard certificate to a portal tag (Or default) and then assign the tag to the guest portal to take affect. I've noticed certain version of ISE node may require restart to take affect after the portal tag update.

hslai · ‎02-16-2019

Besides what howon said,

We may un-check the selection [ ] Allow Wildcard Certificates, and import the key and cert to each of individual nodes.

Note that the certificate needs either a wildcard domain entry (e.g. *.aSLD.aTLD) in either in CN or as a DNS entry in SAN. Also known issues -- CSCvn62923, CSCvg36087, CSCvg36122, and CSCve29595.