Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
692
Views
10
Helpful
5
Replies

Public wildcard certificate

Go to solution
Madura Malwatte
Level 4
Level 4

‎11-26-2018 05:31 AM

I currently have a private wildcard certificate installed on my ise deployment for use for admin, eap auth and portals. Its SAN is *.ise.company.com. However I am in the process of getting a public certificate for the portals (guest hotspot, sponsor, my devices, cwa, etc). Could this be just a single wildcard public certificate for use of all the different portals? What would the CN be for the public cert (same as the private wildcard cert? would this cause issues?).

 

would i have the private wildcard usage ticked for just EAP authentication, and the public wildcard for admin and all other portals?

 

I also have a psn in the dmz (used just for guest portal). would I need to separate out the public wildcard into two certs, one cert being for just the guest portal which will be imported only into the dmz psn? while the internal psn's would have the other wildcard public cert for remaining portals?

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pan
Cisco Employee
Cisco Employee
In response to Madura Malwatte

‎11-26-2018 07:39 PM

The restriction is only for cert used for EAP.

View solution in original post

5 Replies 5

Go to solution
pan
Cisco Employee
Cisco Employee

‎11-26-2018 06:08 AM

One wildcard certificate can be used for portals.

For EAP you should use internal wildcard certificate otherwise EAP-TLS will fail.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to pan

‎11-26-2018 04:29 PM

Just to second what @pan said, the EAP cert can be a wildcard cert (preferably internal PKI) but ensure that the certificate's Subject does NOT contain the wildcard!!! It will break Windows supplicants because Microsoft does not support Wildcards in the Subject.  You must put the wildcard in the SAN instead (DNS:  *.mycompany.com) - the Subject Common Name is largely irrelevant in this case - you can make it megacorp.mycompany.com - call it anything, as long as you don't put a wildcard in there :-)

 

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Arne Bier

‎11-26-2018 07:26 PM - edited ‎11-26-2018 07:34 PM

does this apply for the public wildcard cert too? I have already an internal wildcard certificate working fine.

 

for the public one, would the format be identical to my internal wildcard? i.e:

CN: ise.company.com

SAN DNS: ise.company.com, *.ise.company.com

 

or can I just utilize as below since there is no restriction like the internal wildcard where windows supplicant does not a wildcard in the CN? i.e:

CN: *.ise.company.com

 

0 Helpful

Go to solution
pan
Cisco Employee
Cisco Employee
In response to Madura Malwatte

‎11-26-2018 07:39 PM

The restriction is only for cert used for EAP.

Go to solution
Madura Malwatte
Level 4
Level 4
In response to pan

‎11-26-2018 07:53 PM

Excellent thats what i thought. Thanks for confirming.

0 Helpful
Customers Also Viewed These Support Documents