Solved: Re: ISE wildcard Certificate 2.4

benolyndav · ‎05-18-2020

Hi

We generated CSR from one of our VPN devices (not cisco) and we are using wild card cert

my question is how do I get this Wildcard Cert onto ISE 2,4 to be used for the guest portals when the CSR wasn't generated from ISE .

Thanks in advance

Greg Gibbs · ‎06-01-2020

It sounds like you're trying to export the certificate with the private key (PVK) file from your windows server to import them into ISE. This can be done, but would require the following:

The certificate must have been generated using a Certificate Template that has the 'Allow private key to be exported' option enabled.

Example:

When exporting the certificate with the private key, the PFX (PKCS #12) format is the only option provided by the Windows Certificate Export Wizard.
Once you export the PFX file, you will need to use OpenSSL to obtain the separate certificate and key files. See this Digicert KB article for the steps.
Once you have the certificate and key files, you can import them into ISE.

View solution in original post

Greg Gibbs · ‎05-18-2020

To import an identity (system) certificate, you need both the certificate and the private key. If the CSR was generated on the VPN device, you would need to copy the private key that was created for the CSR from the VPN device to a local file and import that key file with the certificate into ISE.

benolyndav · ‎05-18-2020

Hi

I have the pem, crt, gd-g2 files but unsure what the process is ??

Thanks for your response

Greg Gibbs · ‎05-18-2020

You would need to consult the support information for your VPN solution to determine how you can export the private key (assuming it supports that) that was used to generate the CSR.

When you have that, you would import the certificate and private key in ISE from the Administration > System > Certificates > System Certificates using the Import button. Most systems require you to specify a password when exporting a private key, so the import form includes the password field.

Example:

benolyndav · ‎05-19-2020

Hi Greg

We generated the CSR from one of our servers (IIS)then imported into our Juniper boxes and this was straight forward, what extensions do they need to be for ISE ? can this even be done without generating CSR from ISE ? I sure it must be possible

Thankyou

Greg Gibbs · ‎05-19-2020

You cannot import the CSR into ISE and you need the private key to import the identity certificate into ISE.

If you created the CSR from IIS Manager, I'm not aware that there is any option to mark that certificate as exportable, so you won't be able to export the signed certificate with the private key.

You can certainly generate a CSR outside of ISE, but you must use a method that allows you to export the private key so it can be imported into ISE with the signed certificate.

See this example of using OpenSSL to generate the key and CSR that can be signed by your CA:

Generate a CSR using OpenSSL on Microsoft Windows system

The Server Authentication Extended Key Usage (EKU) is required for an ISE system certificate.

benolyndav · ‎05-20-2020

Hi Greg

Thanks for the response!

Sounds like creating the CSR from ISE first then exporting for other devices would be much more straight forward. ?? any thoughts.

Thanks again

Greg Gibbs · ‎05-20-2020

Yes, you could create a CSR for a wildcard certificate in ISE, bind that certificate to the CSR, then export it with the private key to use for another system. It just depends on what you intend to use that certificate for in ISE and any restrictions the other systems may have around wildcard certificates.

Also note the following guidelines that ISE has in the CN field of the CSR form:

4. For EAP Wildcard certificates:
- CN should not include wildcard
- If there is a CN, it must also exist in the SAN DNS Name
- The wildcard should be present in the SAN DNS Name.

Example:
CN = ise.example.com
SAN DNS Name 1 = ise.example.com
SAN DNS Name 2 = *.example.com

benolyndav · ‎05-20-2020

Hi Greg

Forgot to add in my first reply ew exported from IIS and then imported into vpn devices, we go .crt and .pem, and a PKCS file .p7b

Thanks

poongarg · ‎05-22-2020

On ISE, we can only import base64 format certificates with .cer extension.

benolyndav · ‎06-01-2020

Hi

Thanks for that I see in IIS how to export in base64 but any idea about how to get the pvk file for ISE

poongarg · ‎06-01-2020

PVK key is something that remain on the ISE. If you need to have pvk file, then first bind the CSR with the certificate signed by the Certificate authority and then export this certificate from the ISE. Export will give option to export certificate along with its private key.

Greg Gibbs · ‎06-01-2020

It sounds like you're trying to export the certificate with the private key (PVK) file from your windows server to import them into ISE. This can be done, but would require the following:

The certificate must have been generated using a Certificate Template that has the 'Allow private key to be exported' option enabled.

Example:

When exporting the certificate with the private key, the PFX (PKCS #12) format is the only option provided by the Windows Certificate Export Wizard.
Once you export the PFX file, you will need to use OpenSSL to obtain the separate certificate and key files. See this Digicert KB article for the steps.
Once you have the certificate and key files, you can import them into ISE.

hslai · ‎06-02-2020

Greg is correct that it depends on whether the private key is exportable.

You may look around the net for how to backup the private key; e.g. Using Microsoft IIS to generate CSR and Private Key

If you are able to export the private key, then you may use this private key and the certificate chain in ISE as outlined by other responses in this thread.