10-04-2020 08:32 PM
Hello,
Due to agreement restriction we have one wildcard (* in CN field) and x number of simple (not multidomain) 3-rd party signed SSL certificates.
How many 3-rd party signed SSL certificates is needed? In which combination?
Environment:
- ISE v2.7
- 4 node (2-Admin&MnT, 2 - PSN)
- Sponsored Guest Access
- no BYOD
- no Profiling/Posture
- only Base, Device Admin licenses
On 2 Admin & MnT nodes I plan to use multi-use wildcard Internal Corporate CA signed cert (* in SAN field). For Admin, EAP Auth, Portals. Without 3-rd party signed certificates.
On 2 PSNs:
- for Admin function I plan to use Internal Corporate CA signed cert (same cert as on PANs)
- for EAP Authentication - one simple 3-rd party signed certificate on every PSN (overall two 3-rd party signed certificates with hostnames of PSN on CN field)
- for Guest, Sponsor portals - one 3-rd party signed certificate wildcard (* in CN field)
Are there any problems using 3-rd party signed certificate this way?
Solved! Go to Solution.
10-13-2020 01:55 PM
@berik - why don't you use the same style of Admin cert for all nodes ? I assume it's because you don't care about a cert warning on the PSN's ,but for Admin Persona you want no cert warnings? Fair enough. I'd keep it consistent though - unless it's a commercial (cost) issues.
EAP cert on the PSN seems fine - as long as the CN has no wildcard you're fine (which is your case).
Portal certs with wildcards in the CN are fine.
I think you're good to go. I would recommend installing the full CA cert chain into the ISE trusted cert store for all of these CA chains.
10-13-2020 01:55 PM
@berik - why don't you use the same style of Admin cert for all nodes ? I assume it's because you don't care about a cert warning on the PSN's ,but for Admin Persona you want no cert warnings? Fair enough. I'd keep it consistent though - unless it's a commercial (cost) issues.
EAP cert on the PSN seems fine - as long as the CN has no wildcard you're fine (which is your case).
Portal certs with wildcards in the CN are fine.
I think you're good to go. I would recommend installing the full CA cert chain into the ISE trusted cert store for all of these CA chains.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide