Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
532
Views
11
Helpful
18
Replies

ISE Cert Question

Go to solution
benolyndav
Level 4
Level 4

‎04-15-2024 06:31 AM

Hi

Do I need to generate a CSR for a cert on ISE its a *cert or can I just add the cert to the ISE Nodes for Portal use.??

 

Thanks

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-15-2024 06:40 AM - edited ‎04-15-2024 07:07 AM

@benolyndav no you do not need to generate the CSR on ISE itself. It can be generated by other means, but when you import the signed certificate into ISE you will need to import the private key.

 

1.png

This is quite common if you use a wildcard/multi-domain certificate.

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎04-16-2024 05:49 AM

@benolyndav that screenshot is if you create the CSR on ISE, I thought you weren't going to do that?

If you do use ISE to generate the CSR when you select "allow wildcard certificate" all the nodes disappear (meaning you cannot select them) and you define the certificate options (CN, OU etc). One CSR is created, get it signed and then import to all the other ISE nodes and assign the usage as Portal.

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎04-17-2024 03:06 AM

@benolyndav  "trusted for authentication within ISE" and the sub options.

View solution in original post

18 Replies 18

Go to solution
Rob Ingram
VIP
VIP

‎04-15-2024 06:40 AM - edited ‎04-15-2024 07:07 AM

@benolyndav no you do not need to generate the CSR on ISE itself. It can be generated by other means, but when you import the signed certificate into ISE you will need to import the private key.

 

1.png

This is quite common if you use a wildcard/multi-domain certificate.

Go to solution
benolyndav
Level 4
Level 4
In response to Rob Ingram

‎04-15-2024 07:37 AM - edited ‎04-15-2024 07:45 AM

@Rob Ingram 
Thanks for that, do the Certs have to be apache ??

 

Thanks

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎04-15-2024 07:58 AM

@benolyndav I assume you are referring to when processing the CSR via a public provider? Yes, I imagine apache would work.

Go to solution
benolyndav
Level 4
Level 4
In response to Rob Ingram

‎04-16-2024 05:38 AM

Hi @Rob Ingram 
Yes I was refering to that process, do you know which other formats would work as well.??
also if I select generate CSR do I choose portal now or do the uasgae later,? and also see image do I select all the ised nodes for the CSR ?? and check the wildcard box ?

benolyndav_0-1713271062320.png

 


Thanks

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎04-16-2024 05:49 AM

@benolyndav that screenshot is if you create the CSR on ISE, I thought you weren't going to do that?

If you do use ISE to generate the CSR when you select "allow wildcard certificate" all the nodes disappear (meaning you cannot select them) and you define the certificate options (CN, OU etc). One CSR is created, get it signed and then import to all the other ISE nodes and assign the usage as Portal.

Go to solution
benolyndav
Level 4
Level 4
In response to Rob Ingram

‎04-16-2024 06:08 AM

@Rob Ingram 
Hi great I never noticed that, and yes I might have to generate from ISE afterall,  So would you suggest leaving as multi use until I have the signed Cert back then when importing to each node there I select portal usage ??

benolyndav_0-1713272877245.png

Thanks

 

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to benolyndav

‎04-16-2024 06:19 AM

If the cert will be used on the portal then you should select the portal usage and associate the CSR to the portal group that will use the cert, however, even if you select multi-use and then you associate it to the portal usage it would work anyway, but there is no point to do it that way.

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎04-16-2024 06:32 AM

@benolyndav If the certificate is just used for Portal select portal.

Selecting the usage of a certificate is just a tick box, you can change the usage of other certificates anytime.

Go to solution
benolyndav
Level 4
Level 4
In response to Rob Ingram

‎04-16-2024 07:20 AM

@Rob Ingram 

Can the friendly name be anything, its appending the ISE node name on the freindly name, and I need to add to other nodes, does this matter.?

Thanks

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎04-16-2024 07:23 AM

@benolyndav it can be anything, generally put a useful name related to its purpose.

0 Helpful

Go to solution
benolyndav
Level 4
Level 4
In response to Rob Ingram

‎04-17-2024 02:06 AM

@Rob Ingram 
So got the CSR binded and looks ok, another question I'm assuming I need the new root cert in trusted certs in ISE, what should I select regarding trusted for , and also does addding a cert to trusted certs trigger a services restart.??

Thanks

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to benolyndav

‎04-17-2024 02:22 AM

Importing the root certificate (and the intermediate cert if used) into the trusted certificates store in ISE does not trigger any applications reload and you need to select the "Trust for client authentication and Syslog" option to allow ISE to accept the negotiation with the clients presenting a certificate issued by that root or intermediate CA.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎04-17-2024 02:23 AM

@benolyndav yes you need to import the root and intermediate root certificate, trusted for authentication.

No services won't restart for the portal certificate only admin cert.

Go to solution
benolyndav
Level 4
Level 4
In response to Rob Ingram

‎04-17-2024 02:42 AM

@Rob Ingram Which one please there is multiple authentication options

 

benolyndav_0-1713346889635.png

 

0 Helpful
Customers Also Viewed These Support Documents