05-18-2020 03:19 AM
Hi
We generated CSR from one of our VPN devices (not cisco) and we are using wild card cert
my question is how do I get this Wildcard Cert onto ISE 2,4 to be used for the guest portals when the CSR wasn't generated from ISE .
Thanks in advance
Solved! Go to Solution.
06-01-2020 04:24 PM
It sounds like you're trying to export the certificate with the private key (PVK) file from your windows server to import them into ISE. This can be done, but would require the following:
Example:
05-18-2020 04:31 PM
To import an identity (system) certificate, you need both the certificate and the private key. If the CSR was generated on the VPN device, you would need to copy the private key that was created for the CSR from the VPN device to a local file and import that key file with the certificate into ISE.
05-18-2020 10:45 PM
Hi
I have the pem, crt, gd-g2 files but unsure what the process is ??
Thanks for your response
05-18-2020 11:14 PM
You would need to consult the support information for your VPN solution to determine how you can export the private key (assuming it supports that) that was used to generate the CSR.
When you have that, you would import the certificate and private key in ISE from the Administration > System > Certificates > System Certificates using the Import button. Most systems require you to specify a password when exporting a private key, so the import form includes the password field.
Example:
05-19-2020 11:11 AM
Hi Greg
We generated the CSR from one of our servers (IIS)then imported into our Juniper boxes and this was straight forward, what extensions do they need to be for ISE ? can this even be done without generating CSR from ISE ? I sure it must be possible
Thankyou
05-19-2020 04:31 PM
You cannot import the CSR into ISE and you need the private key to import the identity certificate into ISE.
If you created the CSR from IIS Manager, I'm not aware that there is any option to mark that certificate as exportable, so you won't be able to export the signed certificate with the private key.
You can certainly generate a CSR outside of ISE, but you must use a method that allows you to export the private key so it can be imported into ISE with the signed certificate.
See this example of using OpenSSL to generate the key and CSR that can be signed by your CA:
Generate a CSR using OpenSSL on Microsoft Windows system
The Server Authentication Extended Key Usage (EKU) is required for an ISE system certificate.
05-20-2020 01:46 AM
Hi Greg
Thanks for the response!
Sounds like creating the CSR from ISE first then exporting for other devices would be much more straight forward. ?? any thoughts.
Thanks again
05-20-2020 05:56 PM
Yes, you could create a CSR for a wildcard certificate in ISE, bind that certificate to the CSR, then export it with the private key to use for another system. It just depends on what you intend to use that certificate for in ISE and any restrictions the other systems may have around wildcard certificates.
Also note the following guidelines that ISE has in the CN field of the CSR form:
4. For EAP Wildcard certificates:
- CN should not include wildcard
- If there is a CN, it must also exist in the SAN DNS Name
- The wildcard should be present in the SAN DNS Name.
Example:
CN = ise.example.com
SAN DNS Name 1 = ise.example.com
SAN DNS Name 2 = *.example.com
05-20-2020 05:48 AM
Hi Greg
Forgot to add in my first reply ew exported from IIS and then imported into vpn devices, we go .crt and .pem, and a PKCS file .p7b
Thanks
05-22-2020 07:13 AM
06-01-2020 12:10 AM
Hi
Thanks for that I see in IIS how to export in base64 but any idea about how to get the pvk file for ISE
06-01-2020 12:45 AM
06-01-2020 04:24 PM
It sounds like you're trying to export the certificate with the private key (PVK) file from your windows server to import them into ISE. This can be done, but would require the following:
Example:
06-02-2020 08:14 PM
Greg is correct that it depends on whether the private key is exportable.
You may look around the net for how to backup the private key; e.g. Using Microsoft IIS to generate CSR and Private Key
If you are able to export the private key, then you may use this private key and the certificate chain in ISE as outlined by other responses in this thread.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide