Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1066
Views
0
Helpful
3
Replies

Renewing ISE SSL certificates, wildcard

Go to solution
jbroderick@holycross.com
Level 1
Level 1

‎09-01-2022 10:30 AM

It is time to renew our SSL certificates in ISE.  We are on ISE 3.0.  We use wildcard certificates.  I have a few questions:

1)  If we have already generated our wildcard cert (for multiple products) from our third-party provider, do I need to generate a CSR as indicated in 'Configure Certificate Renewals on ISE'?

2) We previously had to generate a named SAN cert specific to our ise node for the EAP certificate.  I understand that this is no longer necessary and that we can use our wildcard cert, however, we have to be careful with the CN reference.  Can anyone point me to instructions on this.

3)  It was advised in the Video on ISE certifications, dated March 2022, that the services should be on separate certificates.  How does this work with a single wildcard certificate?

Thank you for any advice.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ammahend
VIP
VIP

‎09-01-2022 06:42 PM

see answers below :
1)  If we have already generated our wildcard cert (for multiple products) from our third-party provider, do I need to generate a CSR as indicated in 'Configure Certificate Renewals on ISE'?

you can use existing as well as generate a new CSR, if you generate CSR on ise itself then offcourse ISE will have its private key, if you generate using OpenSSL or something, you have to import the private key as well, for wildcard, keep the wild card as SAN, not as subject CN,  as some vendors create issue with wildcard as subject CN.

2) We previously had to generate a named SAN cert specific to our ise node for the EAP certificate.  I understand that this is no longer necessary and that we can use our wildcard cert, however, we have to be careful with the CN reference.  Can anyone point me to instructions on this.

you can do eap authentication with wildcard but it should be the subject alternative name not the primary CN. 

3)  It was advised in the Video on ISE certifications, dated March 2022, that the services should be on separate certificates.  How does this work with a single wildcard certificate?

this is totally up to you, it’s not compulsory but is considered best practice, so that certificate compromise only effect limited services. But it comes with management overhead. 

-hope this helps-

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎09-01-2022 02:14 PM

jbroderick@holycross.com if you already have a wildcard certificate you just need to import into ISE and assign the required service on each node.

Refer to this certificates guide which covers wildcard usage. It's recommended to use a publically signed certificate for the EAP certificate. It's up to you whether you wish to use the same certificate for each service or use separate certificates for each service. Refer to this section on certificate deployment models - https://community.cisco.com/t5/security-knowledge-base/how-to-implement-digital-certificates-in-ise/ta-p/3630897#toc-hId-1417244287

 

 

 

0 Helpful

Go to solution
ahollifield
VIP
VIP

‎09-01-2022 05:32 PM - edited ‎09-01-2022 05:33 PM

Also don't use a wildcard certificate for EAP.  Windows clients will not trust it.

I am generally not a fan of wildcard certificates at all as tends to lead to private key sprawl and exposure.  But this comes down to your individual organization's security policies.  Do those policies allow you to use the same wildcard certificate across multiple services/platforms?  

0 Helpful

Go to solution
ammahend
VIP
VIP

‎09-01-2022 06:42 PM

see answers below :
1)  If we have already generated our wildcard cert (for multiple products) from our third-party provider, do I need to generate a CSR as indicated in 'Configure Certificate Renewals on ISE'?

you can use existing as well as generate a new CSR, if you generate CSR on ise itself then offcourse ISE will have its private key, if you generate using OpenSSL or something, you have to import the private key as well, for wildcard, keep the wild card as SAN, not as subject CN,  as some vendors create issue with wildcard as subject CN.

2) We previously had to generate a named SAN cert specific to our ise node for the EAP certificate.  I understand that this is no longer necessary and that we can use our wildcard cert, however, we have to be careful with the CN reference.  Can anyone point me to instructions on this.

you can do eap authentication with wildcard but it should be the subject alternative name not the primary CN. 

3)  It was advised in the Video on ISE certifications, dated March 2022, that the services should be on separate certificates.  How does this work with a single wildcard certificate?

this is totally up to you, it’s not compulsory but is considered best practice, so that certificate compromise only effect limited services. But it comes with management overhead. 

-hope this helps-
0 Helpful
Customers Also Viewed These Support Documents