04-15-2024 06:31 AM
Hi
Do I need to generate a CSR for a cert on ISE its a *cert or can I just add the cert to the ISE Nodes for Portal use.??
Thanks
Solved! Go to Solution.
04-15-2024 06:40 AM - edited 04-15-2024 07:07 AM
@benolyndav no you do not need to generate the CSR on ISE itself. It can be generated by other means, but when you import the signed certificate into ISE you will need to import the private key.
This is quite common if you use a wildcard/multi-domain certificate.
04-16-2024 05:49 AM
@benolyndav that screenshot is if you create the CSR on ISE, I thought you weren't going to do that?
If you do use ISE to generate the CSR when you select "allow wildcard certificate" all the nodes disappear (meaning you cannot select them) and you define the certificate options (CN, OU etc). One CSR is created, get it signed and then import to all the other ISE nodes and assign the usage as Portal.
04-17-2024 03:06 AM
@benolyndav "trusted for authentication within ISE" and the sub options.
04-15-2024 06:40 AM - edited 04-15-2024 07:07 AM
@benolyndav no you do not need to generate the CSR on ISE itself. It can be generated by other means, but when you import the signed certificate into ISE you will need to import the private key.
This is quite common if you use a wildcard/multi-domain certificate.
04-15-2024 07:37 AM - edited 04-15-2024 07:45 AM
04-15-2024 07:58 AM
@benolyndav I assume you are referring to when processing the CSR via a public provider? Yes, I imagine apache would work.
04-16-2024 05:38 AM
Hi @Rob Ingram
Yes I was refering to that process, do you know which other formats would work as well.??
also if I select generate CSR do I choose portal now or do the uasgae later,? and also see image do I select all the ised nodes for the CSR ?? and check the wildcard box ?
Thanks
04-16-2024 05:49 AM
@benolyndav that screenshot is if you create the CSR on ISE, I thought you weren't going to do that?
If you do use ISE to generate the CSR when you select "allow wildcard certificate" all the nodes disappear (meaning you cannot select them) and you define the certificate options (CN, OU etc). One CSR is created, get it signed and then import to all the other ISE nodes and assign the usage as Portal.
04-16-2024 06:08 AM
@Rob Ingram
Hi great I never noticed that, and yes I might have to generate from ISE afterall, So would you suggest leaving as multi use until I have the signed Cert back then when importing to each node there I select portal usage ??
Thanks
04-16-2024 06:19 AM
If the cert will be used on the portal then you should select the portal usage and associate the CSR to the portal group that will use the cert, however, even if you select multi-use and then you associate it to the portal usage it would work anyway, but there is no point to do it that way.
04-16-2024 06:32 AM
@benolyndav If the certificate is just used for Portal select portal.
Selecting the usage of a certificate is just a tick box, you can change the usage of other certificates anytime.
04-16-2024 07:20 AM
Can the friendly name be anything, its appending the ISE node name on the freindly name, and I need to add to other nodes, does this matter.?
Thanks
04-16-2024 07:23 AM
@benolyndav it can be anything, generally put a useful name related to its purpose.
04-17-2024 02:06 AM
@Rob Ingram
So got the CSR binded and looks ok, another question I'm assuming I need the new root cert in trusted certs in ISE, what should I select regarding trusted for , and also does addding a cert to trusted certs trigger a services restart.??
Thanks
04-17-2024 02:22 AM
Importing the root certificate (and the intermediate cert if used) into the trusted certificates store in ISE does not trigger any applications reload and you need to select the "Trust for client authentication and Syslog" option to allow ISE to accept the negotiation with the clients presenting a certificate issued by that root or intermediate CA.
04-17-2024 02:23 AM
@benolyndav yes you need to import the root and intermediate root certificate, trusted for authentication.
No services won't restart for the portal certificate only admin cert.
04-17-2024 02:42 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide