Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

cisco ise 1.2 install certificates for ise cluster question

hello all i have an ise cluster of 4 devices. 1 primary admin/secondary monitor, 1 secondary admin/primary admin and 2 policy nodes

 

i need to install public CA certs on them. can I generate 1 CSR on one of the nodes, that includes a SAN with the DNS names of all the nodes?

Therefore get only 1 cert from the CA, and export and import the same cert into all the other nodes?

 

or do i have to generate 1 CSR for each node and purchase 4 certs? Wild card certs is not an option. tHANKS,

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

ISE allows you to install a

ISE allows you to install a certificate with multiple Subject Alternative Name (SAN) fields. A browser reaching the ISE using any of the listed SAN names will accept the certificate without any error as long as it trusts the CA that signed the certificate.

The CSR for such a certificate cannot be generated from the ISE GUI. http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/113675-ise-binds-multi-names-00.html

Cisco ISE checks for a matching subject name as follows:

1. Cisco ISE looks at the subject alternative name (SAN) extension of the certificate. If the SAN contains one or more DNS names, then one of the DNS names must match the FQDN of the Cisco ISE node. If a wildcard certificate is used, then the wildcard domain name must match the domain in the Cisco ISE node's FQDN.

2. If there are no DNS names in the SAN, or if the SAN is missing entirely, then the Common Name (CN) in the Subject field of the certificate or the wildcard domain in the Subject field of the certificate must match the FQDN of the node.

3. If no match is found, the certificate is rejected.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~BR Jatin Katyal **Do rate helpful posts**
Cisco Employee

Yes, you're correct. The

Yes, you're correct. The document was created prior to ISE 1.2. You can generate CSR from the ISE GUI and add SAN.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~BR Jatin Katyal **Do rate helpful posts**
4 REPLIES
Cisco Employee

ISE allows you to install a

ISE allows you to install a certificate with multiple Subject Alternative Name (SAN) fields. A browser reaching the ISE using any of the listed SAN names will accept the certificate without any error as long as it trusts the CA that signed the certificate.

The CSR for such a certificate cannot be generated from the ISE GUI. http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/113675-ise-binds-multi-names-00.html

Cisco ISE checks for a matching subject name as follows:

1. Cisco ISE looks at the subject alternative name (SAN) extension of the certificate. If the SAN contains one or more DNS names, then one of the DNS names must match the FQDN of the Cisco ISE node. If a wildcard certificate is used, then the wildcard domain name must match the domain in the Cisco ISE node's FQDN.

2. If there are no DNS names in the SAN, or if the SAN is missing entirely, then the Common Name (CN) in the Subject field of the certificate or the wildcard domain in the Subject field of the certificate must match the FQDN of the node.

3. If no match is found, the certificate is rejected.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~BR Jatin Katyal **Do rate helpful posts**

Yes, I agree with Jatin.

Yes, I agree with Jatin. Please see what SAN is and how it is useful

The Subject Alternative Name field :

Subject Alternative Names let you protect multiple host names with a single SSL certificate.

Subject Alternative Names allow you to specify a list of host names to be protected by a single SSL certificate.
Secure host names on different base domains in one SSL Certificate. A wildcard certificate can protect all first-level subdomains on an entire domain, such as *.example.com. But a wildcard cannot protect both www.example.com and www.example.net.

New Member

Hello Jatin. Thanks for the

Hello Jatin. Thanks for the response. It was very helpful. You mentioned that the CSR cannot be generated from the ISE GUI. I believe that in 1.2 you can add the SAN DNS to the CSR in the GUI.

Im not sure if that document is referring to an older version? Can you confirm this? Thanks.

Cisco Employee

Yes, you're correct. The

Yes, you're correct. The document was created prior to ISE 1.2. You can generate CSR from the ISE GUI and add SAN.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~BR Jatin Katyal **Do rate helpful posts**
358
Views
0
Helpful
4
Replies
CreatePlease login to create content