Solved: Does ISE support wildcard certificates?

emgalanme · ‎08-08-2013

Hello guys,

My customer doesnt have a CA, but instead has wildcard certificates.

I will implement ISE in 3 different locations (each location independent and with all ise services). Havent look in dept about wildcard certs, but does ISE support this type of certificates? The certs i need is only for corporate users not to be shown with the ssl cert error when accesing ise portals.

If wild certificates supported, then will every independent site need to create a separate CSR for each one of them?

Thanks!

Emilio

Seth Bjorn · ‎08-08-2013

Version 1.2 which just came out appears to, but the older version did not.

View solution in original post

Jatin Katyal · ‎08-08-2013

It seems to be added in ISE 1.2

Wildcard Certificates

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_cert.html#wp1053232

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

Seth Bjorn · ‎08-08-2013

Version 1.2 which just came out appears to, but the older version did not.

Jatin Katyal · ‎08-08-2013

It seems to be added in ISE 1.2

Wildcard Certificates

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_cert.html#wp1053232

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

emgalanme · ‎08-08-2013

Thanks guys, so im asuming the following (please correct me if im wrong).

I have 2 different locations each one of them with their own ISE in standalone mode but they depend on the same wild card certificates entity and share DNS, NTP, etc

They will each have their own urls for sponsor, guest and device portal so, i am asuming that i will have to send a CSR with all needed fqdn´s for each site, right? That makes a total of 2 wildcard certs , one for each ISE deployment?

Thanks!

Emilio

blenka · ‎08-09-2013

Support for Universal Certificates:

Cisco ISE, Release 1.2 supports the use of wildcard server certificates for HTTPS (web-based services)

and EAP protocols that use SSL/TLS tunneling. With the use of universal certificates, you no longer have

to generate a unique certificate for each Cisco ISE node. Also, you no longer have to populate the SAN

field with multiple FQDN values to prevent certificate warnings. Using an asterisk (*) in the SAN field

allows you to share a single certificate across multiple nodes in a deployment and helps prevent

certificate-name mismatch warnings.

For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2. Kindly find the attached PDF for your clarification ISE 1.2 supports wildcard certificates. Even I had highlighted the same on page 14.
Support for Universal Certificates:
Cisco ISE, Release 1.2 supports the use of wildcard server certificates for HTTPS (web-based services)
and EAP protocols that use SSL/TLS tunneling. With the use of universal certificates, you no longer have
to generate a unique certificate for each Cisco ISE node. Also, you no longer have to populate the SAN
field with multiple FQDN values to prevent certificate warnings. Using an asterisk (*) in the SAN field
allows you to share a single certificate across multiple nodes in a deployment and helps prevent
certificate-name mismatch warnings.

For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2.