04-24-2014 02:34 PM - edited 03-10-2019 09:40 PM
hello all i have an ise cluster of 4 devices. 1 primary admin/secondary monitor, 1 secondary admin/primary admin and 2 policy nodes
i need to install public CA certs on them. can I generate 1 CSR on one of the nodes, that includes a SAN with the DNS names of all the nodes?
Therefore get only 1 cert from the CA, and export and import the same cert into all the other nodes?
or do i have to generate 1 CSR for each node and purchase 4 certs? Wild card certs is not an option. tHANKS,
Solved! Go to Solution.
04-24-2014 11:57 PM
ISE allows you to install a certificate with multiple Subject Alternative Name (SAN) fields. A browser reaching the ISE using any of the listed SAN names will accept the certificate without any error as long as it trusts the CA that signed the certificate.
The CSR for such a certificate cannot be generated from the ISE GUI. http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/113675-ise-binds-multi-names-00.html
Cisco ISE checks for a matching subject name as follows:
1. Cisco ISE looks at the subject alternative name (SAN) extension of the certificate. If the SAN contains one or more DNS names, then one of the DNS names must match the FQDN of the Cisco ISE node. If a wildcard certificate is used, then the wildcard domain name must match the domain in the Cisco ISE node's FQDN.
2. If there are no DNS names in the SAN, or if the SAN is missing entirely, then the Common Name (CN) in the Subject field of the certificate or the wildcard domain in the Subject field of the certificate must match the FQDN of the node.
3. If no match is found, the certificate is rejected.
Regards,
Jatin Katyal
*Do rate helpful posts*
04-25-2014 07:57 AM
Yes, you're correct. The document was created prior to ISE 1.2. You can generate CSR from the ISE GUI and add SAN.
Regards,
Jatin Katyal
*Do rate helpful posts*
04-24-2014 11:57 PM
ISE allows you to install a certificate with multiple Subject Alternative Name (SAN) fields. A browser reaching the ISE using any of the listed SAN names will accept the certificate without any error as long as it trusts the CA that signed the certificate.
The CSR for such a certificate cannot be generated from the ISE GUI. http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/113675-ise-binds-multi-names-00.html
Cisco ISE checks for a matching subject name as follows:
1. Cisco ISE looks at the subject alternative name (SAN) extension of the certificate. If the SAN contains one or more DNS names, then one of the DNS names must match the FQDN of the Cisco ISE node. If a wildcard certificate is used, then the wildcard domain name must match the domain in the Cisco ISE node's FQDN.
2. If there are no DNS names in the SAN, or if the SAN is missing entirely, then the Common Name (CN) in the Subject field of the certificate or the wildcard domain in the Subject field of the certificate must match the FQDN of the node.
3. If no match is found, the certificate is rejected.
Regards,
Jatin Katyal
*Do rate helpful posts*
04-25-2014 12:52 AM
Yes, I agree with Jatin. Please see what SAN is and how it is useful
The Subject Alternative Name field :
Subject Alternative Names let you protect multiple host names with a single SSL certificate.
Subject Alternative Names allow you to specify a list of host names to be protected by a single SSL certificate.
Secure host names on different base domains in one SSL Certificate. A wildcard certificate can protect all first-level subdomains on an entire domain, such as *.example.com. But a wildcard cannot protect both www.example.com and www.example.net.
04-25-2014 07:45 AM
Hello Jatin. Thanks for the response. It was very helpful. You mentioned that the CSR cannot be generated from the ISE GUI. I believe that in 1.2 you can add the SAN DNS to the CSR in the GUI.
Im not sure if that document is referring to an older version? Can you confirm this? Thanks.
04-25-2014 07:57 AM
Yes, you're correct. The document was created prior to ISE 1.2. You can generate CSR from the ISE GUI and add SAN.
Regards,
Jatin Katyal
*Do rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide