Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1753
Views
0
Helpful
4
Replies

cisco ise 1.2 install certificates for ise cluster question

Go to solution
west33637
Level 1
Level 1

‎04-24-2014 02:34 PM - edited ‎03-10-2019 09:40 PM

hello all i have an ise cluster of 4 devices. 1 primary admin/secondary monitor, 1 secondary admin/primary admin and 2 policy nodes

 

i need to install public CA certs on them. can I generate 1 CSR on one of the nodes, that includes a SAN with the DNS names of all the nodes?

Therefore get only 1 cert from the CA, and export and import the same cert into all the other nodes?

 

or do i have to generate 1 CSR for each node and purchase 4 certs? Wild card certs is not an option. tHANKS,

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎04-24-2014 11:57 PM

ISE allows you to install a certificate with multiple Subject Alternative Name (SAN) fields. A browser reaching the ISE using any of the listed SAN names will accept the certificate without any error as long as it trusts the CA that signed the certificate.

The CSR for such a certificate cannot be generated from the ISE GUI. http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/113675-ise-binds-multi-names-00.html

Cisco ISE checks for a matching subject name as follows:

1. Cisco ISE looks at the subject alternative name (SAN) extension of the certificate. If the SAN contains one or more DNS names, then one of the DNS names must match the FQDN of the Cisco ISE node. If a wildcard certificate is used, then the wildcard domain name must match the domain in the Cisco ISE node's FQDN.

2. If there are no DNS names in the SAN, or if the SAN is missing entirely, then the Common Name (CN) in the Subject field of the certificate or the wildcard domain in the Subject field of the certificate must match the FQDN of the node.

3. If no match is found, the certificate is rejected.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~Jatin

View solution in original post

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to west33637

‎04-25-2014 07:57 AM

Yes, you're correct. The document was created prior to ISE 1.2. You can generate CSR from the ISE GUI and add SAN.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~Jatin

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎04-24-2014 11:57 PM

ISE allows you to install a certificate with multiple Subject Alternative Name (SAN) fields. A browser reaching the ISE using any of the listed SAN names will accept the certificate without any error as long as it trusts the CA that signed the certificate.

The CSR for such a certificate cannot be generated from the ISE GUI. http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/113675-ise-binds-multi-names-00.html

Cisco ISE checks for a matching subject name as follows:

1. Cisco ISE looks at the subject alternative name (SAN) extension of the certificate. If the SAN contains one or more DNS names, then one of the DNS names must match the FQDN of the Cisco ISE node. If a wildcard certificate is used, then the wildcard domain name must match the domain in the Cisco ISE node's FQDN.

2. If there are no DNS names in the SAN, or if the SAN is missing entirely, then the Common Name (CN) in the Subject field of the certificate or the wildcard domain in the Subject field of the certificate must match the FQDN of the node.

3. If no match is found, the certificate is rejected.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~Jatin
0 Helpful

Go to solution
Saurav Lodh
Level 7
Level 7

‎04-25-2014 12:52 AM

Yes, I agree with Jatin. Please see what SAN is and how it is useful

The Subject Alternative Name field :

Subject Alternative Names let you protect multiple host names with a single SSL certificate.

Subject Alternative Names allow you to specify a list of host names to be protected by a single SSL certificate.
Secure host names on different base domains in one SSL Certificate. A wildcard certificate can protect all first-level subdomains on an entire domain, such as *.example.com. But a wildcard cannot protect both www.example.com and www.example.net.

0 Helpful

Go to solution
west33637
Level 1
Level 1

‎04-25-2014 07:45 AM

Hello Jatin. Thanks for the response. It was very helpful. You mentioned that the CSR cannot be generated from the ISE GUI. I believe that in 1.2 you can add the SAN DNS to the CSR in the GUI.

Im not sure if that document is referring to an older version? Can you confirm this? Thanks.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to west33637

‎04-25-2014 07:57 AM

Yes, you're correct. The document was created prior to ISE 1.2. You can generate CSR from the ISE GUI and add SAN.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~Jatin
0 Helpful
Customers Also Viewed These Support Documents