ISE - Installing the same certificate in every PSN in a node group

luis.elvira · ‎03-14-2013

Hi,

to grant not to show the certificate error adevertise to all clients connecting to guest services (because obviously they don't have the CA root certificate of our company), we have purchased a wildcard certificate from Verisign in order to work with all of our PSN Common Names and friendly url for sponsor and mydevices. But when I try to import it to more than one PSN the following error message is shown " The certificate already exists in the data base".

How can I import the same certificate (with the same private key) in every PSN in a node group?

We have ISE 1.1.2

Thanks in advance!!

Luis

jan.nielsen · ‎03-14-2013

You can't. Ise does not support wildcard certs. You need san certificates for each ise node.

Sent from Cisco Technical Support Android App

Tarik Admani · ‎03-14-2013

Here is a good guide provide by TAC, please use this as a reference.

http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bd0953.shtml

Thanks,

Tarik Admani
*Please rate helpful posts*

huangedmc · ‎03-19-2013

Rumor has it that ISE 1.2 (or later) will support wildcard certs.

Until then, you'll have to use SAN certs like Jan has suggested.

askhuran · ‎04-25-2013

Hello All,

ISE software also uses openssl. Though upto ISE 1.1.x interface does not provide with a field for SAN (Subject Alternative Name), but it should support wildcard certificates. It is just the interface that does not facilitate certificate and CSR generation. So we need to generate the certificate and CSR by explicit use of openssl. Tarik has already provided the link which can be of valuable assistance.

As far as wildcard certificate support is concerned, ISE 1.2 would definitely support this feature. This is confirmed

sofitapaul · ‎03-08-2017

Thanks for sharing link