Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
702
Views
5
Helpful
2
Replies

ISE certificate management queries

Go to solution
atsukane
Level 1
Level 1

‎01-10-2020 08:09 AM

We are in the process of upgrading ISE from 2.1 to 2.4, and I'm tasked with certificate side of things.

Currently existing 2.1 is only used for Guest WiFi, and we plan to utilise the new system for EAP authentication as well.

We've decided to go with publicly signed wildcard certificate for all things ISE (Admin, EAP, portals and maybe pxGrid at later stage?). I've followed the Cisco best practise for generating a CSR by using a generic name in CN and added this generic CN i and the wildcard in the SAN field. Our supplier is having difficulty progressing with this CSR though, and waiting to find out how it goes. 

Now, as for the trusted certificates, Digicert Root CA is already in trusted cert store on ISE by default for Endpoints, Infrastructure and AdminAuth.

Assuming we'd also have to add our internal CA root CAs here, but do I need to select this for the same purposes as well? 

 

Thanks in advance,

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-10-2020 09:16 AM

It can be difficult to get wildcard certs issued, but I've had success continuing to identify the specifics. It sounds like you have that sorted nesting the wildcard in the SAN.

As far as adding the internal CA chain to the trusted certificates, you will need to mark it for client authentication since most companies deploy internal certs for their users/machines. What ever certs are deployed for use with EAP, you can just add the trust chain. Don't forget to import both root and intermediate certs for all CA's you expect.

View solution in original post

2 Replies 2

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-10-2020 09:16 AM

It can be difficult to get wildcard certs issued, but I've had success continuing to identify the specifics. It sounds like you have that sorted nesting the wildcard in the SAN.

As far as adding the internal CA chain to the trusted certificates, you will need to mark it for client authentication since most companies deploy internal certs for their users/machines. What ever certs are deployed for use with EAP, you can just add the trust chain. Don't forget to import both root and intermediate certs for all CA's you expect.

Go to solution
atsukane
Level 1
Level 1
In response to Damien Miller

‎01-10-2020 10:56 AM

Thanks, that's very helpful!
0 Helpful
Customers Also Viewed These Support Documents