01-21-2023 07:05 AM
im planning to implement ISE with 2 node appliances (not VM). To generate CSR which option should I use - wild card or without wild card?
which is the better way to do it?
if using wild card what ill be missing? can I use the same certificate for all services EAP etc?
01-21-2023 07:11 AM
I would only use wildcard if there are too many devices to handle a SAN certificate. And with two nodes you just don’t need scalability with the certificate.
01-21-2023 07:15 AM
so with wildcard certificate is ok? i heard there will be some issue with EAP in windows client machines? is that true? what do you suggest?
01-21-2023 07:57 AM
As mentioned, SAN is better and more secure. But WC will typically work as long as the Wildcard is not in the CN. The CN should hold a generic FQDN and the WC is used in a SAN.
01-21-2023 08:07 AM
I generated wildcard as below. is this ok?
Hostname
ise01
Subject
CN=ise01.gg.net,OU=FQ ,O=GG,L=London,ST=London,C=UK
Key Length
2048
Timestamp
Sat, 21 Jan 2023
Friendly Name
ISE01#Multi-Use
Used for
Multi-Use
Subject Alternative Names
DNS:ise01.gg.net,DNS:ise02.gg.net,DNS:*.gg.net,IP:192.168.0.106,IP:192.168.0.107
Certificate Policies
01-21-2023 08:18 AM
Yes, that should work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide