Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3943
Views
0
Helpful
3
Replies

Guest Certificate Renewal in ISE

Srinivasan Nagarajan
Level 1
Level 1

‎06-18-2020 09:25 PM

Hi Experts,

 

We're planning to renew the Guest certificate in Cisco ISE (2.6). Please note, this is Multi-domain SSL.

 

I've some queries:-

1.While raising CSR, have selected 'Multi-use' with PSN's. So, later on when binding the certificate, I can select the portal option.. Is it correct method or should i select only the 'portal' option when raising CSR..?

2. Since this is Multi-domain SSL, have placed CN=ise.domain.com and placed this domain in addition to the PSN domains in the SAN.. Is this correct procedure ..?

3. When viewing the existing certificate in system certificates, it shows no value in the CN. Any idea why is it so..?

 

Also, Can someone please give me the overview or the best pratice to get this through...?

 

Cheers,

 

0 Helpful
3 Replies 3

poongarg
Cisco Employee
Cisco Employee

‎06-18-2020 11:25 PM

1. While raising CSR, it is fine to select the "Multi-use" option as this will allow to use the certificate later for other purpose as well, if required to change the certificate usage later.
2. If you want to use this certificate on other ISE nodes as well?
3. It seems the certificate CSR was not generated correctly.

Refer the below document to replace the certificate on ISE:
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116977-technote-ise-cert-00.html
0 Helpful

Srinivasan Nagarajan
Level 1
Level 1
In response to poongarg

‎06-19-2020 04:28 AM

Hi- Thanks for the reply.

 

#2, Yeah, we're tying it to the multiple PSN's (01/02) in addition to the sub-domain mentioned in the CN

#3, Certificate issued to is showing as 'Multi-domain SSL'..

why is it so..? Does this imply Wildcard certificate option was checked..?

 

And, what if I import only the private key (from the existing working certificate) and the new server/identity certificate for the Guest portal. Will it work..?

0 Helpful

poongarg
Cisco Employee
Cisco Employee
In response to Srinivasan Nagarajan

‎06-21-2020 05:54 PM

Without selecting wildcard option, ISE will not allow to leave the CN field as blank. If the existing certificate CN name is blank then it must be having Subject Alternative Name field with wildcard.

Check the below document to have detailed explanation:

https://community.cisco.com/t5/security-documents/how-to-implement-digital-certificates-in-ise/ta-p/3630897

 

Hope it will help.

 

 

0 Helpful
Customers Also Viewed These Support Documents