ISE wildcard guest

athan1234 · ‎10-02-2023

Dear all:

The wildcard guest public certificate has to be renewed. The business did not create a wildcard certificate, and I'm not sure if checking the box will suffice for it works weel(the CN in the certificate is different, but if the domain is the same).

However, if a company made a wildcard certificate, I probably wouldn't use it because I'd need to extract the private key. I believe the wildcard certificate doesn't have the private key in a separate file because that would make it impossible for me to use for ISE it without using open ssl. However, it would be possible to create aCSR with a wildcard certificate, hand this file over to the other party, and have it send me the request before binding from the ise?

I'm not sure if I should describe the clear because I find it difficult to understand the certificate and because my English is not very excellent.

Marvin Rhoads · ‎10-02-2023

If you want to use a new wildcard you can create the CSR from your ISE PAN or use an external method like via openssl. Either way you will need the private key.

If you create the CSR from ISE, the private key will already be present on the PAN and you only need to bind the issued certificate to the server. If you created it externally then you will need to import the issued certificate as well as the private key used to sign the CSR.

athan1234 · ‎10-02-2023

When a Private Key for Wildcard Certificate is supplied to me for import to ISe through a guest portal, it does not contain the private key in another file, right? for get it i will have to use openssl for extract the private key from wildcard file or for the other hand generate a CSR from ISE and give this file to the public authority for a request; and the they will send my and i am able to bind from ise.

Marvin Rhoads · ‎10-02-2023

When a certificate is given to you from a Certificate Authority, it will NOT have the private key. Otherwise it would not be "private".

Only if someone went to the effort to give you both the issued certificate and the original private key in a combined file (unusual but it sometimes happens when another part of the enterprise handles all things certificate-related) would you get both. In that case, it would be a PKCS12 file and they would need to also provide separately the passphrase used to encrypt the private key.

athan1234 · ‎10-02-2023

Okay, thanks for clarifying that the ideal way to import a wildcard certificate in ISe is to create a CSR on ISE , which I should then provide to my customer so that I may bind the certificate once they send it to me.

athan1234 · ‎10-09-2023

Imagine the situation:

The certificate wilcard currently is experie . My customer had a certificate with a CN this CN is not resolve ISE and it is experied . was the last CN NODE01.asesoramiento.com now The ISe is resolve for other CN NODE02.asesoramiento.com . My customer dont want to pay for other certificate for it I am generating a CSR from ise wildcard .asesoramiento,.com and y I market allow wildcard certificates . for it i send to my customer and The entety have signed my csr but with the CN old NODE01.asesoramiento.com . Waht will happend if bind this certificate on ISe with my CSR, it will works ? or I will have to say my customer need to create a new certificate for CNNODE02.asesoramiento.com or buy wildcard certificate

What will happend if I created a CSR from ISE with a wilcardcertificate.*asesoramiento.com

Marvin Rhoads · ‎10-09-2023

You may be able to get the certificate to bind but you may encounter unexpected and significant erros later on if the certificate is not properly formed with the CN or SAN of the Primary PAN (which I would assume is one of the two PSNs).

Certificates in ISE are VERY important and not something you want to have wrong. A proper new certificate costs less than US$100/year. If they spend more than an hour of professional services fixing issues arising from an incorrect certificate that amount is already gone.