cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1661
Views
5
Helpful
1
Replies

CSR for third party signed CA

Hello Team

 

We have 12 nodes distributed  deployment and we want to raise csr for guest portal whose cert was signed by third party CA

 

CN : $FQDN$

SAN : hostname.company.com (8 different entry in SAN)

 

While generating CA we have selected all 8 nodes on which guest service is enabled.

 

 1.Now there are 8 separate CSR are generated ..so do we need to submit all 8 CSR or only one is sufficient ??

 

2. Also while binding that signed copy..do we need to bind it for all 8 CSR ?? or we can just bind to one node and import to all other node manually ??

 

Please suggest ...

 

 

 

 

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

You have a couple of different options for this. When you generate a CSR and tick the box for more than one ISE nodes, it creates an individual CSR for each of the nodes.

If you want to use a separate certificate for each node, you would need to have each CSR signed by the CA individually, then bind each cert to the 8 individual nodes.

Another option that I often use for customers is to use a single Guest Portal certificate across all nodes. For that, you would  generate the CSR for one node that has all the PSN FQDNs in the SAN, bind that cert to the first PSN, then export that cert with the private key and import it for the rest of the PSNs.

View solution in original post

1 Reply 1

Greg Gibbs
Cisco Employee
Cisco Employee

You have a couple of different options for this. When you generate a CSR and tick the box for more than one ISE nodes, it creates an individual CSR for each of the nodes.

If you want to use a separate certificate for each node, you would need to have each CSR signed by the CA individually, then bind each cert to the 8 individual nodes.

Another option that I often use for customers is to use a single Guest Portal certificate across all nodes. For that, you would  generate the CSR for one node that has all the PSN FQDNs in the SAN, bind that cert to the first PSN, then export that cert with the private key and import it for the rest of the PSNs.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: