Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Installing wildcard cert on ISE for HTTP/EAP

I need to install a wildcard cert on ISE, but have no experience with wildcards.  I have the *.domain certificate, but i am not sure of the process, and the Cisco docs add to the confusion.  Am i supposed to generate a new CSR to give to the CA, do i simply install the *.domain cert?  I have read the install guide and it of course makes the assumption that you know what you're talking about, and when it comes to installing wildcards, i don't know...

Any assistance would be greatly appreciated

Everyone's tags (2)
5 REPLIES
New Member

Hi,In order to create CSR

Hi,

In order to create CSR file from the ISE using a wildcard certificate, you can do the following:

From the CSR page, enter the CN=*.yourdomain.com

and If you have a specific DNS entry for your ISE like ise1.yourdomain.com under the SAN fields.

Also, you need to check the box of "Allow Wildcard Certificate".

After that, you can generate and export the CSR and submit it to your CA to get the ID certificate (which you will bind it with the CSR).

Also, you need the CA certificate itself to be added on the ISE certificate store.

 

Thanks.

Ahmad.

New Member

I have not yet created the

I have not yet created the CSR, and thank you for the instructions.  My confusion is this:

I have the actual wildcard cert (*.domain.com cert), along with the CA bundle.  I have imported the CA bundle already, but is there anything i should be doing with the *.domain.com cert?

Does it need to be imported, or is it useless?  My understanding of a wildcard cert is that the single cert can be installed on whatever you'd like to use it on... or do you still need to go through the CSR process for each application on which you'd like to use it?

New Member

Unfortunately, you need first

Unfortunately, you need first to create a CSR with wildcard filed either on the CN or DNS fields, and then you need to sign this CSR from the CA using the exact same values and bind it again to the CSR on the ISE configuration.

Cisco Employee

If you are already in the

If you are already in the possession of the wildcard cert and the private key, then you don't need CSR. You can simply import the certificate in ISE:

1. Go to Administration > Certificates > Local Certificates >  Add > Import Server Certificate

2. Use the "browse" buttons to point to the certificate file and private key

3. Check "Allow Wildcard Certificates"

4. Select the protocol that you want to use it for (EAP or HTTPS or both)

5. Hit submit

6. Go to Certificates Store

7. Import the root CA certificate and Intermediate CA certificate(s) (If any)

 

Thank you for rating helpful posts!

 

Thank you for rating helpful posts!

A word of caution. If you are

A word of caution. If you are planning to use this cert for 802.1x in BYOD environments you should look into using a SAN cert instead. with all your PSNs in it, wildcard certs are not good for windows machines in e peap/byod scenario, and iOS also has issues with certain wildcard certs.

565
Views
10
Helpful
5
Replies
CreatePlease to create content