Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2615
Views
0
Helpful
3
Replies

ISE 1.3 and 2.0 certificate EKU requirements and CSR

Go to solution
Tim Baum
Cisco Employee
Cisco Employee

‎02-10-2016 01:36 PM

Is ISE 1.3 and/or 2.0 suppose to request EKU=client auth in the CSR it generates?

Customer ran into upgrade issues (1.3 -> 2.0) and I think I've found the issue. The server certs have a EKU with only server authentication. No client auth. I had them generate a new CSR and check it with openssl, there is a EKU of server auth, no client auth.

I've checked a couple versions and it seems to be consistent. When I look at my lab's server's certs they all have server AND client auth. My guess is my CA was adding it.

Is it expected that the CA adds this EKU or should the CSR request it (bug with ISE)? The cert usage type does not seem to change the KU or EKU fields.

Thanks

Tim

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-10-2016 06:29 PM

That should not matter normally.


If you mean ISE system server certificates, then they only need "server auth" unless used for pxGrid nodes. Microsoft CA issues certificates based on the certificate templates used.

Screen Shot 2016-02-10 at 6.26.22 PM.png


Many well-known CA, including HydrantID SSL CA, nowadays issue certificates with "server auth" and "client auth" in EKU, when we request for web server certificates.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-10-2016 06:29 PM

That should not matter normally.


If you mean ISE system server certificates, then they only need "server auth" unless used for pxGrid nodes. Microsoft CA issues certificates based on the certificate templates used.

Screen Shot 2016-02-10 at 6.26.22 PM.png


Many well-known CA, including HydrantID SSL CA, nowadays issue certificates with "server auth" and "client auth" in EKU, when we request for web server certificates.

0 Helpful

Go to solution
Tim Baum
Cisco Employee
Cisco Employee
In response to hslai

‎02-11-2016 05:28 AM

The customer requested new certs, specifically asking for server and client auth and that appears to have fixed the problem. There may be something else at work here but odd that these certs work with 1.3 but not with 2.0.  And requested new certs does.

0 Helpful

Go to solution
Tim Baum
Cisco Employee
Cisco Employee

‎02-19-2016 11:42 AM

It appears the problem is that ISE 2.0 is doing revocation checks when it is not enabled. The test environment has partial connectivity i.e. DNS works but LDAP is not allowed. It appears that when you try to register one ISE node to another, even with revocation not configured for the trusted CA certs, ISE is trying to check the CAs.

The CA certs have a LDAP and HTTP link for CRL, LDAP listed first. From the trace it appears that ISE does a DNS request, gets 30+ addresses back since the FQDN is a MS AD controller name and all the controllers are returned, then ISE tries an LDAP bind to each one, fails and then tries the next one. This goes on over and over. The ISE server seems to hang.

We tried configuring CRL retrieval with the HTTP link and that did not change the situation.

0 Helpful
Customers Also Viewed These Support Documents