05-14-2024 06:10 AM - edited 05-14-2024 06:20 AM
Hi
If I generate a CSR and then bind the Certificate does the wildcard Cert then get pushed to all nodes in our ISE deployment or just to the PSN Nodes.??
also can i use *.boaders.co.uk as the CN name or would it have to be guest.boaders.co.uk
Thanks
Solved! Go to Solution.
05-15-2024 01:52 AM
05-14-2024 02:05 PM - edited 05-14-2024 03:25 PM
If you select Portal Certs, then tick the box "wildcard" then you fill in the CN, OU etc. There will be 1 CSR created. When you bind the Cert back to the CSR, it will put the cert on all the PSNs. In fact, in a fully distributed ISE deployment, the portal certificate will land on any ISE node that has the Portal Tag that you associate the cert to. If you assign the cert to the "Default Portal Certificate Group" Portal Group Tag, then every node will get this (including PAN and MNT). It doesn't harm. But best practice is to create a new Portal Group Tag and assign the cert to it.
The CN can be anything you like - public CAs might have a rule about how it should look, but I would not put a wildcard in the CN. Your suggestion of guest.boaders.co.uk would be ideal IMHO. And in the SAN, you'd have 2 DNS entries:
guest.boaders.co.uk
*.boaders.co.uk
05-15-2024 12:20 AM
HI @Arne Bier
Thanks for that info very helpful, do you know if when our wildcard cert expires and we requst another via the ISE CSR process do I have to upload the Root/Intermediate to trusted Certs every time we do this.??
Thanks
05-15-2024 01:52 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide