Solved: Re: Certificates & Subject Alternative Names

Tim Glen · ‎03-14-2018

Hi,

I'm using ISE 2.3 and I have 3 nodes all of which will have the PSN persona.

I'm going to be generating a CSR for them. I see in the "Generate CSR for these Nodes" all 3 of my nodes are there and I can select them all.

My understanding is that if I select all 3 nodes then 3 CSR's will be generated and I will need to submit 3 CSRs to my CA and I will receive 3 certs back from them. This is a costly option.

I also see there is a field for Subject Alternative Name. My hope is to save some cash, although it may not be possible. I would like to generate one CSR that includes the DNS name of all 3 of my ISE nodes, submit that one CSR to a CA. Then the CA will return one identity cert that I can install on all 3 nodes?

Is this supported?

Thanks

Tim

dmh · ‎03-14-2018

Yes this is supported.

You will need something in the CN field, for example, ise.mydomain.com and can enter the specific node names in the DNS SAN entries (as you have listed above).

Note, the CA will may charge differently for a SAN certificate.

View solution in original post

afahmy · ‎03-14-2018

Yes that’s supported

You can Fill SAN field with a wildcard DNS name when building a multinode CSR

That signed CSR will cover the entire deployment

Thanks

Ahmed

Sent from my iPhone

Tim Glen · ‎03-14-2018

Hello Ahmed,

I understand I can use *.mydomain.com but for other reasons, I'm unable to do that. My Org will not allow a wildcard cert at that high a level.

I was hoping to use the SAN field this way,

isenode1.mydomain.com

isenode2.mydomain.com

isenode3.mydomain.com

Is creating one CSR with these DNS names in the SAN field this supported?

Thanks!

dmh · ‎03-14-2018

Yes this is supported.

You will need something in the CN field, for example, ise.mydomain.com and can enter the specific node names in the DNS SAN entries (as you have listed above).

Note, the CA will may charge differently for a SAN certificate.

Jason Kunst · ‎03-14-2018

Remember if you have to add a service later you will need to regenerate and buy again

So plan it out

Add in mydevices.domain.com<http://mydevices.domain.com> sponsor.domain.com<http://sponsor.domain.com>

Psn1-20

Sent from my iPhone

nssecurity · ‎07-10-2019

Since no option to add SAN in CSR, can we add multiple CN's (CN=vpn1.mydomain.com, CN=vpn2.mydomain.com) in single CSR ?

In this case we can add one FQDN only in Certificate parameter field (Add Identity Certificate -> Advanced.. option)

Tim Glen · ‎03-19-2018

Thanks for all the advice, I greatly appreciate the comments!

Another question on CSR & SAN Certs.

When generating the CSR I don’t believe I should generate a CSR for all the nodes. I believe that I only need to generate one CSR that contains a unique Common Name and contains all the node names in the SAN field.

Ok so if that is correct, then I generate that one CSR then submit it to the public CA. The CA will send me an ID Cert for the nodes, and also an Intermediate and Trusted Root cert.

But, since node 2 & 3 do not have a CSR generated I don’t see an method to install the ID cert I received from the CA?

Thanks very much for any guidance.

Tim

dmh · ‎03-19-2018

After binding the signed certificate on the node that the SAN CSR was done on I just export the certificate (including private key) and import into the other nodes.

Tim Glen · ‎03-22-2018

Thanks dmh! I was able to do that in a lab environment but I'm glad to hear that's what others are doing in prod.