cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3307
Views
10
Helpful
3
Replies

ISE 2.4 generate CSR for renew multi-use public certificate

haltong
Cisco Employee
Cisco Employee

Hi all

 

I tried use ISE to generate CSR for customer renew their public signed certificate, when i choose all nodes of checkbox, it will generate CSR for each node, so when i download it i saw multiple CSR, is it correct?

 

Subject field
• CN=ise.abcde.com
• OU=IT
• O=ABCDE
• L=Hong Kong
• C=HK

Subject Alternative Name (SAN) field
• DNS Name: ise.abcde.com
• DNS Name: ise01.abcde.com
• DNS Name: ise02.abcde.com
• DNS Name: ise03.abcde.com

Signature Algorithm
• SHA256

Key Length
• 2048

1 Accepted Solution

Accepted Solutions

andrewswanson
Level 7
Level 7

Hi


I recently done a similar csr for a 5 node 2.3 deployment - when you choose "all nodes" a csr is created for all nodes.

 

As my csr was for a single certificate for all 5 nodes (cn=radius.example.com with the 5 node's hostnames as SANs) I submitted 1 of these csrs to be signed. When I got the signed certificate back I imported it and bound it to the ISE node the csr came from.

 

I then exported this certificate/key and imported it onto the other ISE nodes.

 

Cheers
Andy

View solution in original post

3 Replies 3

andrewswanson
Level 7
Level 7

Hi


I recently done a similar csr for a 5 node 2.3 deployment - when you choose "all nodes" a csr is created for all nodes.

 

As my csr was for a single certificate for all 5 nodes (cn=radius.example.com with the 5 node's hostnames as SANs) I submitted 1 of these csrs to be signed. When I got the signed certificate back I imported it and bound it to the ISE node the csr came from.

 

I then exported this certificate/key and imported it onto the other ISE nodes.

 

Cheers
Andy

Hi Andy,

 

Thanks for information, seems rest of the CSRs is not necessary from your experience.

Did you also renew existing public certificate? 

Hi

Originally, the ISE nodes each had a separate certificate with unique cn e.g. ise-psn.example.com which was used for EAP/admin. The new single certificate with cn=radius.example.com (with all the ISE nodes hostnames as SANs) replaced all the old certificates so it wasn't technically a certificate renewal.

Cheers

Andy