10-20-2012 11:35 PM - edited 03-10-2019 07:42 PM
Hi,
I would like to know about these on ISE CSR case. My business requreiment is
case 1: one primary node register one secondary node
case 2: one primary node register one inline posture node
I have a enterprise CA running on window server 2008 R2. so i not intend to use any self-signed certificate.
quesiton
1. what is the certificate template should i use when i try to submit my CSR request? For both case
2. For both case end result, how should the local certificate and certificate store look like (ISE running on VER1.1.1)?
3. should i do any convert on the microsfot based certificate in .cer extention to .pem, using openSSL?
Million Thanks
Noel
10-21-2012 07:42 PM
If you are going to use an inline node in your deployment, then my suggestions (along with experience) is to use a template that has the EKU for both client authentication and server authentication. The documentation clearly states this in the 1.1.1 release notes.
If you want to generate this type of cert then your best bet is to clone the Computer Template and allow web enrollment.
Thanks,
Tarik Admani
*Please rate helpful posts*
10-21-2012 08:10 PM
Hi Tarik,
your statement is it mean that both Primary node and Inline Posture node need to use the certificate template that has the EKU for both client authenticatio and server authentication?
But i am sure that there's no computer to be select at the web enrollment, when i trying to submit the request at \certsrv.
If what if i able to use web server template to have both EKU select on the extention, would it be able to be use? As i fulfill the requirement of EKU for both client authenticaiton and server authetnicaiton.
Furthermore, i found this statement from Cisco documentation
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ipep_deploy.html#wp1110248
it mentioned:
The following combinations are recommended for the Administration certificate:
– Both EKU attributes should be disabled, if both EKU attributes are disabled in the Inline Posture certificate, or both EKU attributes should be enabled, if the server attribute is enabled in the Inline Posture certificate.
The following combinations are recommended for the Inline Posture certificate:
–Both EKU attributes should be disabled, or both should be enabled, or the server attribute alone should be enabled.
I am really confused now.
looking forward on your reply..thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide