Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5716
Views
5
Helpful
3
Replies

how to import wildcard cert in PFX format into new ISE deployment

tachyon05
Level 1
Level 1

‎03-30-2021 09:20 PM

I have a new ISE deployment, and I was given a wildcard cert in PFX format to use in this deployment.  I was able to use OPENSSL to see the content of the PFX.  It appears to contain a private key section and 3 certificate sections as shown below.  How do I import this into ISE?

 

Bag Attributes
Key Attributes
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

 

Bag Attributes
CN = my company name/domain
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

 

Bag Attributes
CN = DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

 

Bag Attributes
CN = DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

3 Replies 3

Greg Gibbs
Cisco Employee
Cisco Employee

‎03-30-2021 09:55 PM

See this link for information on how to convert PFX to PEM format.

You can save the Root and Intermediate certificates as separate .cer files and import them separately into the ISE Trusted Certificates store.

Save the identity certificate and private key as separate files and import them into the ISE System Certificates store, ticking the Allow Wildcard Certificates option. You would then tick the Admin and other Usage options for the certificate.

Please note that wildcard certs should not be used for EAP as they can be problematic with Windows supplicants.

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni
In response to Greg Gibbs

‎03-30-2021 10:02 PM

"Please note that wildcard certs should not be used for EAP as they can be problematic with Windows supplicants."

This is not a fair blanket statement to make. A wildcard works fine for windows machines doing EAP as long as the *.domain.tld is in the SAN field and not the CN. I have plenty of deployments where customers opted to use a wildcard this way. 

0 Helpful

tachyon05
Level 1
Level 1
In response to Greg Gibbs

‎03-30-2021 10:19 PM

Thanks.  All employees' Windows devices will have AnyConnect client so my understanding is wildcard cert will be OK in my setup.  Question on what trust options to select when importing the root and intermediate certs.

Options are

  1. Trust for authentication within ISE [checked by default]
  2. Trust for client authentication and Syslog
  3. Trust for cert based admin authentication
  4. Trust for authentication of Cisco Services
  5. Validate Cert Extensions
0 Helpful
Customers Also Viewed These Support Documents