Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2266
Views
0
Helpful
2
Replies

certificate template for ISE CSR

yong khang NG
Level 5
Level 5

‎10-20-2012 11:35 PM - edited ‎03-10-2019 07:42 PM

Hi,

I would like to know about these on ISE CSR case. My business requreiment is

case 1: one primary node register one secondary node

case 2: one primary node register one inline posture node

I have a enterprise CA running on window server 2008 R2. so i not intend to use any self-signed certificate.

quesiton

1. what is the certificate template should i use when i try to submit my CSR request? For both case

2. For both case end result, how should the local certificate and certificate store look like (ISE running on VER1.1.1)?

3. should i do any convert on the microsfot based certificate in .cer extention to .pem, using openSSL?

Million Thanks

Noel

Labels:
0 Helpful
2 Replies 2

Tarik Admani
VIP Alumni
VIP Alumni

‎10-21-2012 07:42 PM

If you are going to use an inline node in your deployment, then my suggestions (along with experience) is to use a template that has the EKU for both client authentication and server authentication. The documentation clearly states this in the 1.1.1 release notes.

If you want to generate this type of cert then your best bet is to clone the Computer Template and allow web enrollment.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

yong khang NG
Level 5
Level 5
In response to Tarik Admani

‎10-21-2012 08:10 PM

Hi Tarik,

your statement is it mean that both Primary node and Inline Posture node need to use the certificate template that has the EKU for both client authenticatio and server authentication?

But i am sure that there's no computer to be select at the web enrollment, when i trying to submit the request at \certsrv.

If what if i able to use web server template to have both EKU select on the extention, would it be able to be use? As i fulfill the requirement of EKU for both client authenticaiton and server authetnicaiton.

Furthermore,  i found this statement from Cisco documentation

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ipep_deploy.html#wp1110248

it mentioned:

The following combinations are recommended for the Administration certificate:

– Both EKU attributes should be disabled, if both EKU attributes are disabled in the Inline Posture certificate, or both EKU attributes should be enabled, if the server attribute is enabled in the Inline Posture certificate.

The following combinations are recommended for the Inline Posture certificate:

–Both EKU attributes should be disabled, or both should be enabled, or the server attribute alone should be enabled.

I am really confused now.

looking forward on your reply..thanks

0 Helpful
Customers Also Viewed These Support Documents