cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1619
Views
5
Helpful
1
Replies

CSR for third party signed CA

Hello Team

 

We have 12 nodes distributed  deployment and we want to raise csr for guest portal whose cert was signed by third party CA

 

CN : $FQDN$

SAN : hostname.company.com (8 different entry in SAN)

 

While generating CA we have selected all 8 nodes on which guest service is enabled.

 

 1.Now there are 8 separate CSR are generated ..so do we need to submit all 8 CSR or only one is sufficient ??

 

2. Also while binding that signed copy..do we need to bind it for all 8 CSR ?? or we can just bind to one node and import to all other node manually ??

 

Please suggest ...

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Greg Gibbs
Cisco Employee

You have a couple of different options for this. When you generate a CSR and tick the box for more than one ISE nodes, it creates an individual CSR for each of the nodes.

If you want to use a separate certificate for each node, you would need to have each CSR signed by the CA individually, then bind each cert to the 8 individual nodes.

Another option that I often use for customers is to use a single Guest Portal certificate across all nodes. For that, you would  generate the CSR for one node that has all the PSN FQDNs in the SAN, bind that cert to the first PSN, then export that cert with the private key and import it for the rest of the PSNs.

View solution in original post

1 REPLY 1
Greg Gibbs
Cisco Employee

You have a couple of different options for this. When you generate a CSR and tick the box for more than one ISE nodes, it creates an individual CSR for each of the nodes.

If you want to use a separate certificate for each node, you would need to have each CSR signed by the CA individually, then bind each cert to the 8 individual nodes.

Another option that I often use for customers is to use a single Guest Portal certificate across all nodes. For that, you would  generate the CSR for one node that has all the PSN FQDNs in the SAN, bind that cert to the first PSN, then export that cert with the private key and import it for the rest of the PSNs.

View solution in original post

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube