09-19-2014 07:31 AM - edited 03-12-2019 05:43 PM
I need to install a wildcard cert on ISE, but have no experience with wildcards. I have the *.domain certificate, but i am not sure of the process, and the Cisco docs add to the confusion. Am i supposed to generate a new CSR to give to the CA, do i simply install the *.domain cert? I have read the install guide and it of course makes the assumption that you know what you're talking about, and when it comes to installing wildcards, i don't know...
Any assistance would be greatly appreciated
09-19-2014 09:26 AM
Hi,
In order to create CSR file from the ISE using a wildcard certificate, you can do the following:
From the CSR page, enter the CN=*.yourdomain.com
and If you have a specific DNS entry for your ISE like ise1.yourdomain.com under the SAN fields.
Also, you need to check the box of "Allow Wildcard Certificate".
After that, you can generate and export the CSR and submit it to your CA to get the ID certificate (which you will bind it with the CSR).
Also, you need the CA certificate itself to be added on the ISE certificate store.
Thanks.
Ahmad.
09-19-2014 10:02 AM
I have not yet created the CSR, and thank you for the instructions. My confusion is this:
I have the actual wildcard cert (*.domain.com cert), along with the CA bundle. I have imported the CA bundle already, but is there anything i should be doing with the *.domain.com cert?
Does it need to be imported, or is it useless? My understanding of a wildcard cert is that the single cert can be installed on whatever you'd like to use it on... or do you still need to go through the CSR process for each application on which you'd like to use it?
09-20-2014 12:40 AM
Unfortunately, you need first to create a CSR with wildcard filed either on the CN or DNS fields, and then you need to sign this CSR from the CA using the exact same values and bind it again to the CSR on the ISE configuration.
09-21-2014 10:48 AM
If you are already in the possession of the wildcard cert and the private key, then you don't need CSR. You can simply import the certificate in ISE:
1. Go to Administration > Certificates > Local Certificates > Add > Import Server Certificate
2. Use the "browse" buttons to point to the certificate file and private key
3. Check "Allow Wildcard Certificates"
4. Select the protocol that you want to use it for (EAP or HTTPS or both)
5. Hit submit
6. Go to Certificates Store
7. Import the root CA certificate and Intermediate CA certificate(s) (If any)
Thank you for rating helpful posts!
09-28-2014 08:53 PM
A word of caution. If you are planning to use this cert for 802.1x in BYOD environments you should look into using a SAN cert instead. with all your PSNs in it, wildcard certs are not good for windows machines in e peap/byod scenario, and iOS also has issues with certain wildcard certs.
10-08-2023 03:41 AM
Hi Jan sorry for this question but for my understand:
I have two ISE node
1) PAN PSN MnT name ise1.ise.labdomain.com
2) PAN PSN MnT name ise2.ise.labdomain.com
In the CSR what name i need to PUT in the CN and in the SAN ?
In the SAN i put *.ise.labdomain.com but you mention alse PSN ... Can you explain me this behaviour please ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide