Solved: Guest Portal Certificate

N3om · ‎05-14-2024

Hi

If I generate a CSR and then bind the Certificate does the wildcard Cert then get pushed to all nodes in our ISE deployment or just to the PSN Nodes.??

also can i use *.boaders.co.uk as the CN name or would it have to be guest.boaders.co.uk

Thanks

Arne Bier · ‎05-15-2024

Nope you don’t need to re-upload the CA chain, provider of course you renewed with the same CA and that their Issuing and Root CA certs are still the same ones that signed the previous cert.

View solution in original post

Arne Bier · ‎05-14-2024

If you select Portal Certs, then tick the box "wildcard" then you fill in the CN, OU etc. There will be 1 CSR created. When you bind the Cert back to the CSR, it will put the cert on all the PSNs. In fact, in a fully distributed ISE deployment, the portal certificate will land on any ISE node that has the Portal Tag that you associate the cert to. If you assign the cert to the "Default Portal Certificate Group" Portal Group Tag, then every node will get this (including PAN and MNT). It doesn't harm. But best practice is to create a new Portal Group Tag and assign the cert to it.

The CN can be anything you like - public CAs might have a rule about how it should look, but I would not put a wildcard in the CN. Your suggestion of guest.boaders.co.uk would be ideal IMHO. And in the SAN, you'd have 2 DNS entries:

guest.boaders.co.uk

*.boaders.co.uk

N3om · ‎05-15-2024

HI @Arne Bier
Thanks for that info very helpful, do you know if when our wildcard cert expires and we requst another via the ISE CSR process do I have to upload the Root/Intermediate to trusted Certs every time we do this.??

Thanks

Arne Bier · ‎05-15-2024

Nope you don’t need to re-upload the CA chain, provider of course you renewed with the same CA and that their Issuing and Root CA certs are still the same ones that signed the previous cert.