cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1144
Views
10
Helpful
1
Replies
berik
Beginner

How many 3-rd party signed SSL certificates is needed for ISE 4 node deployment?

Hello,

Due to agreement restriction we have one wildcard (* in CN field) and x number of simple (not multidomain) 3-rd party signed SSL certificates. 

 

How many 3-rd party signed SSL certificates is needed? In which combination?

 

Environment:

- ISE v2.7

- 4 node (2-Admin&MnT, 2 - PSN)

- Sponsored Guest Access

- no BYOD

- no Profiling/Posture

- only Base, Device Admin licenses

 

On 2 Admin & MnT nodes I plan to use multi-use wildcard Internal Corporate CA signed cert (* in SAN field). For Admin, EAP Auth, Portals. Without 3-rd party signed certificates.

 

On 2 PSNs:

- for Admin function I plan to use Internal Corporate CA signed cert (same cert as on PANs)

- for EAP Authentication - one simple 3-rd party signed certificate on every PSN (overall two 3-rd party signed certificates with hostnames of PSN on CN field)

- for Guest, Sponsor portals - one 3-rd party signed certificate wildcard (* in CN field)

 

Are there any problems using 3-rd party signed certificate this way?

1 ACCEPTED SOLUTION

Accepted Solutions
Arne Bier
VIP Advisor

@berik - why don't you use the same style of Admin cert for all nodes ? I assume it's because you don't care about a cert warning on the PSN's ,but for Admin Persona you want no cert warnings? Fair enough. I'd keep it consistent though - unless it's a commercial (cost) issues. 

EAP cert on the PSN seems fine - as long as the CN has no wildcard you're fine (which is your case).

Portal certs with wildcards in the CN are fine.

I think you're good to go. I would recommend installing the full CA cert chain into the ISE trusted cert store for all of these CA chains.

View solution in original post

1 REPLY 1
Arne Bier
VIP Advisor

@berik - why don't you use the same style of Admin cert for all nodes ? I assume it's because you don't care about a cert warning on the PSN's ,but for Admin Persona you want no cert warnings? Fair enough. I'd keep it consistent though - unless it's a commercial (cost) issues. 

EAP cert on the PSN seems fine - as long as the CN has no wildcard you're fine (which is your case).

Portal certs with wildcards in the CN are fine.

I think you're good to go. I would recommend installing the full CA cert chain into the ISE trusted cert store for all of these CA chains.

View solution in original post

Content for Community-Ad