Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8338
Views
16
Helpful
6
Replies

Installing wildcard cert on ISE for HTTP/EAP

MMstre
Level 3
Level 3

‎09-19-2014 07:31 AM - edited ‎03-12-2019 05:43 PM

I need to install a wildcard cert on ISE, but have no experience with wildcards.  I have the *.domain certificate, but i am not sure of the process, and the Cisco docs add to the confusion.  Am i supposed to generate a new CSR to give to the CA, do i simply install the *.domain cert?  I have read the install guide and it of course makes the assumption that you know what you're talking about, and when it comes to installing wildcards, i don't know...

Any assistance would be greatly appreciated

Labels:
0 Helpful
6 Replies 6

Ahmad Murad
Level 1
Level 1

‎09-19-2014 09:26 AM

Hi,

In order to create CSR file from the ISE using a wildcard certificate, you can do the following:

From the CSR page, enter the CN=*.yourdomain.com

and If you have a specific DNS entry for your ISE like ise1.yourdomain.com under the SAN fields.

Also, you need to check the box of "Allow Wildcard Certificate".

After that, you can generate and export the CSR and submit it to your CA to get the ID certificate (which you will bind it with the CSR).

Also, you need the CA certificate itself to be added on the ISE certificate store.

 

Thanks.

Ahmad.

0 Helpful

MMstre
Level 3
Level 3
In response to Ahmad Murad

‎09-19-2014 10:02 AM

I have not yet created the CSR, and thank you for the instructions.  My confusion is this:

I have the actual wildcard cert (*.domain.com cert), along with the CA bundle.  I have imported the CA bundle already, but is there anything i should be doing with the *.domain.com cert?

Does it need to be imported, or is it useless?  My understanding of a wildcard cert is that the single cert can be installed on whatever you'd like to use it on... or do you still need to go through the CSR process for each application on which you'd like to use it?

0 Helpful

Ahmad Murad
Level 1
Level 1
In response to MMstre

‎09-20-2014 12:40 AM

Unfortunately, you need first to create a CSR with wildcard filed either on the CN or DNS fields, and then you need to sign this CSR from the CA using the exact same values and bind it again to the CSR on the ISE configuration.

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to MMstre

‎09-21-2014 10:48 AM

If you are already in the possession of the wildcard cert and the private key, then you don't need CSR. You can simply import the certificate in ISE:

1. Go to Administration > Certificates > Local Certificates >  Add > Import Server Certificate

2. Use the "browse" buttons to point to the certificate file and private key

3. Check "Allow Wildcard Certificates"

4. Select the protocol that you want to use it for (EAP or HTTPS or both)

5. Hit submit

6. Go to Certificates Store

7. Import the root CA certificate and Intermediate CA certificate(s) (If any)

 

Thank you for rating helpful posts!

 

jan.nielsen
Level 7
Level 7

‎09-28-2014 08:53 PM

A word of caution. If you are planning to use this cert for 802.1x in BYOD environments you should look into using a SAN cert instead. with all your PSNs in it, wildcard certs are not good for windows machines in e peap/byod scenario, and iOS also has issues with certain wildcard certs.

0 Helpful

m.cucchi
Level 1
Level 1
In response to jan.nielsen

‎10-08-2023 03:41 AM

Hi Jan sorry for this question but for my understand:

I have two ISE node 

1) PAN PSN MnT name ise1.ise.labdomain.com

2) PAN PSN MnT name ise2.ise.labdomain.com

In the CSR what name i need to PUT in the CN and in the SAN ?

In the SAN i put *.ise.labdomain.com but you mention alse PSN ... Can you explain me this behaviour please ?

 

0 Helpful
Customers Also Viewed These Support Documents