ISE CSR - wild card or server specific?

jaheshkhan · ‎01-21-2023

im planning to implement ISE with 2 node appliances (not VM). To generate CSR which option should I use - wild card or without wild card?

which is the better way to do it?

if using wild card what ill be missing? can I use the same certificate for all services EAP etc?

Karsten Iwen · ‎01-21-2023

I would only use wildcard if there are too many devices to handle a SAN certificate. And with two nodes you just don’t need scalability with the certificate.

jaheshkhan · ‎01-21-2023

so with wildcard certificate is ok? i heard there will be some issue with EAP in windows client machines? is that true? what do you suggest?

Karsten Iwen · ‎01-21-2023

As mentioned, SAN is better and more secure. But WC will typically work as long as the Wildcard is not in the CN. The CN should hold a generic FQDN and the WC is used in a SAN.

jaheshkhan · ‎01-21-2023

I generated wildcard as below. is this ok?

Hostname

ise01

Subject

CN=ise01.gg.net,OU=FQ ,O=GG,L=London,ST=London,C=UK

Key Length
2048

Timestamp
Sat, 21 Jan 2023

Friendly Name
ISE01#Multi-Use

Used for
Multi-Use

Subject Alternative Names

DNS:ise01.gg.net,DNS:ise02.gg.net,DNS:*.gg.net,IP:192.168.0.106,IP:192.168.0.107

Certificate Policies

Karsten Iwen · ‎01-21-2023

Yes, that should work.