Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
707
Views
0
Helpful
5
Replies

What is the best practice to use Public wild Certs and Inside Windows CA

ccie14007
Level 1
Level 1

‎03-18-2018 05:21 AM - edited ‎02-21-2020 10:49 AM

We just bought wild public SSL certificates. we also have windows server CA in our network.

 

Just want to ask what is the best practice for

 

Admin:   Internal CA, or Windows CA or Public Wildcard CA?

EAP:  Internal CA, or Windows CA or Public Wildcard CA?

Portal:  Guest, BYOD etc...   Internal CA, or Windows CA or Public Wildcard CA?

 

I think

 

Portal: should use Public Wildcard CA.

Admin:  ISE internal CA is ok to build Cluster. 

EAP:  Windows Server CA.

 

Thanks.

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎03-18-2018 05:41 AM

Hi,

I personally would usually use a certificate issued from the Windows CA for Admin, but Internal CA will obviously work.

I would use a universal certificate for the EAP certificate, create 1 EAP certificate, define a CN and SAN entries for each PSN. Export and import that same certificate onto all PSNs.

 

There is a cisco live presentation that explains more about this.

 

HTH

0 Helpful

ajc
Level 7
Level 7

‎03-19-2018 01:35 PM

I would suggest you to use the same portal certificate as admin because I hit a bug when I had internal CA cert for admin and Public cert for portals.

0 Helpful

ccie14007
Level 1
Level 1
In response to ajc

‎03-19-2018 02:28 PM

Thanks all,

 

do you mean to use the wildcard public cert for all Admin, EAP and Portal? I am confused.

 

by the way, say my company has AD domain,  company.local.      Then for the new ISE server, what domain name should use?  ise.company.local  or ise.company.com? which is better practice?

 

if i use ise.company.com,  can is still join the company.local domain?

 

0 Helpful

Rob Ingram
VIP
VIP
In response to ccie14007

‎03-19-2018 02:40 PM

Checkout Cisco Live BRKSEC-3697 for more information on certificates with ISE https://clnv.s3.amazonaws.com/2016/eur/pdf/BRKSEC-3697.pdf

 

I'd personally keep the certificate roles separate.

 

ISE needs a registered DNS entry it can be in any domain, as long as the fqdn is resolvable. If you register it as ise.company.com yes you can still join it to the company.local domain (by creating an external identity source).

 

HTH

0 Helpful

ajc
Level 7
Level 7
In response to ccie14007

‎03-19-2018 07:49 PM - edited ‎03-19-2018 07:51 PM

Not sure what version you are planning to run. In any case I was referring to a bug present on 2.2 patch 4 that affected the sponsor and guest portals (not eap authc). (however I think Cisco released a fix for this issue, need to review my notes).

 

I have an Entrust certificate for admin &  portals + another Internal CA certificate (wildcard cert) for EAP (installed on owned devices).

 

 

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents