Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1968
Views
10
Helpful
1
Replies

How many 3-rd party signed SSL certificates is needed for ISE 4 node deployment?

Go to solution
berik
Level 1
Level 1

‎10-04-2020 08:32 PM

Hello,

Due to agreement restriction we have one wildcard (* in CN field) and x number of simple (not multidomain) 3-rd party signed SSL certificates. 

 

How many 3-rd party signed SSL certificates is needed? In which combination?

 

Environment:

- ISE v2.7

- 4 node (2-Admin&MnT, 2 - PSN)

- Sponsored Guest Access

- no BYOD

- no Profiling/Posture

- only Base, Device Admin licenses

 

On 2 Admin & MnT nodes I plan to use multi-use wildcard Internal Corporate CA signed cert (* in SAN field). For Admin, EAP Auth, Portals. Without 3-rd party signed certificates.

 

On 2 PSNs:

- for Admin function I plan to use Internal Corporate CA signed cert (same cert as on PANs)

- for EAP Authentication - one simple 3-rd party signed certificate on every PSN (overall two 3-rd party signed certificates with hostnames of PSN on CN field)

- for Guest, Sponsor portals - one 3-rd party signed certificate wildcard (* in CN field)

 

Are there any problems using 3-rd party signed certificate this way?

1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎10-13-2020 01:55 PM

@berik - why don't you use the same style of Admin cert for all nodes ? I assume it's because you don't care about a cert warning on the PSN's ,but for Admin Persona you want no cert warnings? Fair enough. I'd keep it consistent though - unless it's a commercial (cost) issues. 

EAP cert on the PSN seems fine - as long as the CN has no wildcard you're fine (which is your case).

Portal certs with wildcards in the CN are fine.

I think you're good to go. I would recommend installing the full CA cert chain into the ISE trusted cert store for all of these CA chains.

View solution in original post

1 Reply 1

Go to solution
Arne Bier
VIP
VIP

‎10-13-2020 01:55 PM

@berik - why don't you use the same style of Admin cert for all nodes ? I assume it's because you don't care about a cert warning on the PSN's ,but for Admin Persona you want no cert warnings? Fair enough. I'd keep it consistent though - unless it's a commercial (cost) issues. 

EAP cert on the PSN seems fine - as long as the CN has no wildcard you're fine (which is your case).

Portal certs with wildcards in the CN are fine.

I think you're good to go. I would recommend installing the full CA cert chain into the ISE trusted cert store for all of these CA chains.

Customers Also Viewed These Support Documents