Solved: Re: CSR for third party signed CA

siddhesh.parab@orange.com1 · ‎05-25-2020

Hello Team

We have 12 nodes distributed deployment and we want to raise csr for guest portal whose cert was signed by third party CA

CN : $FQDN$

SAN : hostname.company.com (8 different entry in SAN)

While generating CA we have selected all 8 nodes on which guest service is enabled.

1.Now there are 8 separate CSR are generated ..so do we need to submit all 8 CSR or only one is sufficient ??

2. Also while binding that signed copy..do we need to bind it for all 8 CSR ?? or we can just bind to one node and import to all other node manually ??

Please suggest ...

Greg Gibbs · ‎05-25-2020

You have a couple of different options for this. When you generate a CSR and tick the box for more than one ISE nodes, it creates an individual CSR for each of the nodes.

If you want to use a separate certificate for each node, you would need to have each CSR signed by the CA individually, then bind each cert to the 8 individual nodes.

Another option that I often use for customers is to use a single Guest Portal certificate across all nodes. For that, you would generate the CSR for one node that has all the PSN FQDNs in the SAN, bind that cert to the first PSN, then export that cert with the private key and import it for the rest of the PSNs.

View solution in original post

Greg Gibbs · ‎05-25-2020

You have a couple of different options for this. When you generate a CSR and tick the box for more than one ISE nodes, it creates an individual CSR for each of the nodes.

If you want to use a separate certificate for each node, you would need to have each CSR signed by the CA individually, then bind each cert to the 8 individual nodes.

Another option that I often use for customers is to use a single Guest Portal certificate across all nodes. For that, you would generate the CSR for one node that has all the PSN FQDNs in the SAN, bind that cert to the first PSN, then export that cert with the private key and import it for the rest of the PSNs.