cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
562
Views
11
Helpful
18
Replies

ISE Cert Question

benolyndav
Level 4
Level 4

Hi

Do I need to generate a CSR for a cert on ISE its a *cert or can I just add the cert to the ISE Nodes for Portal use.??

 

Thanks

3 Accepted Solutions

Accepted Solutions

@benolyndav no you do not need to generate the CSR on ISE itself. It can be generated by other means, but when you import the signed certificate into ISE you will need to import the private key.

 

1.png

This is quite common if you use a wildcard/multi-domain certificate.

View solution in original post

@benolyndav that screenshot is if you create the CSR on ISE, I thought you weren't going to do that?

If you do use ISE to generate the CSR when you select "allow wildcard certificate" all the nodes disappear (meaning you cannot select them) and you define the certificate options (CN, OU etc). One CSR is created, get it signed and then import to all the other ISE nodes and assign the usage as Portal.

View solution in original post

@benolyndav  "trusted for authentication within ISE" and the sub options.

View solution in original post

18 Replies 18

@benolyndav no you do not need to generate the CSR on ISE itself. It can be generated by other means, but when you import the signed certificate into ISE you will need to import the private key.

 

1.png

This is quite common if you use a wildcard/multi-domain certificate.

@Rob Ingram 
Thanks for that, do the Certs have to be apache ??

 

Thanks

@benolyndav I assume you are referring to when processing the CSR via a public provider? Yes, I imagine apache would work.

Hi @Rob Ingram 
Yes I was refering to that process, do you know which other formats would work as well.??
also if I select generate CSR do I choose portal now or do the uasgae later,? and also see image do I select all the ised nodes for the CSR ?? and check the wildcard box ?

benolyndav_0-1713271062320.png

 


Thanks

@benolyndav that screenshot is if you create the CSR on ISE, I thought you weren't going to do that?

If you do use ISE to generate the CSR when you select "allow wildcard certificate" all the nodes disappear (meaning you cannot select them) and you define the certificate options (CN, OU etc). One CSR is created, get it signed and then import to all the other ISE nodes and assign the usage as Portal.

@Rob Ingram 
Hi great I never noticed that, and yes I might have to generate from ISE afterall,  So would you suggest leaving as multi use until I have the signed Cert back then when importing to each node there I select portal usage ??

benolyndav_0-1713272877245.png

Thanks

 

If the cert will be used on the portal then you should select the portal usage and associate the CSR to the portal group that will use the cert, however, even if you select multi-use and then you associate it to the portal usage it would work anyway, but there is no point to do it that way.

@benolyndav If the certificate is just used for Portal select portal.

Selecting the usage of a certificate is just a tick box, you can change the usage of other certificates anytime.

@Rob Ingram 

Can the friendly name be anything, its appending the ISE node name on the freindly name, and I need to add to other nodes, does this matter.?

Thanks

@benolyndav it can be anything, generally put a useful name related to its purpose.

@Rob Ingram 
So got the CSR binded and looks ok, another question I'm assuming I need the new root cert in trusted certs in ISE, what should I select regarding trusted for , and also does addding a cert to trusted certs trigger a services restart.??

Thanks

Importing the root certificate (and the intermediate cert if used) into the trusted certificates store in ISE does not trigger any applications reload and you need to select the "Trust for client authentication and Syslog" option to allow ISE to accept the negotiation with the clients presenting a certificate issued by that root or intermediate CA.

@benolyndav yes you need to import the root and intermediate root certificate, trusted for authentication.

No services won't restart for the portal certificate only admin cert.

@Rob Ingram Which one please there is multiple authentication options

 

benolyndav_0-1713346889635.png