ISE 1.2 and WildCard Cert

Similar Messages

• ISE 1.3 public wildcard cert

  Is it a good idea and common practice to just use public CA for wildcard certificate on each ISE node to avoid any certificate warnings on non-corporate devices? 
  is it ok then to use it also for EAP-TLS authentication? Clients will still have internal CA certs.
  Or should we have a separate internal wildcard cert just for EAP-TLS. In this case, will ISE 1.3 allow me to have to wildcard certs with the same SAN (*.domain.com), one is public, the other is internal. The public one would apply to Web portals, and internal one would apply to EAP-TLS/

  Hi Trevor-
  The use of Wildcard cert is perfectly acceptable for the guest portals. As you said, this will ensure that guest users don't get the certificate trust error. 
  However, for the EAP side of the house, you will need to get a non-wildcard certificate. Many supplicants (including Windows) will NOT accept a wildcard certificate when building an EAP tunnel.
  I hope this helps!
  Thank you for rating helpful posts! 

• Windows client intermittent connection to PEAP WIFI backed off to ISE 1.2 wildcard cert

  I am setting up a topology whwere for the first time I am deplying ISE with a wildcard certificate.  This is on ISE 1.2 patch 6, WLC's running 7.6 and Windows 7 clients in AD.  The ISE policy is just to match on machine auth.
  The setting up of the wildcard cert went ok as guided by the CCO ISE 1.2 deployment/cfg guide.
  When it came to testing the client auth as always I start off with the PEAP settings of Validate server certificate off, just to confirm the WLC and ISE are playing ball.  They were, the auth passed.
  I then tick the Validate server certificate, make sure the CA (Windows AD) is in the Trusted Root Certification Authorities.  Retest and the client passes.
  If I then disconnect the wifi and reconnect, either manually or by doing a reboot, the next authenticaiton fails, but nothing has changed.  ISE reports that my Windows client rejected the server certificate.  Which is odd as it just accepted it.
  If I untick the validate the client passes, if i tick it again it will authenticate fine, once.  The next connection it will fail again with the client rejecting ISE.
  Anyone got any ideas?

  I have had a similar issue consistently with 1.2 on both pathc 5 and 6 (not sure about earlier one). Basically what I am seeing is the client rejecting the Server cert when validate is unticked. Most of the time the client connects just fine a few seconds later but some clients need a reboot to fix it. As a rule I put this down to client issue but not 100% sure some times.

• Installing wildcard cert on ISE for HTTP/EAP

  I need to install a wildcard cert on ISE, but have no experience with wildcards.  I have the *.domain certificate, but i am not sure of the process, and the Cisco docs add to the confusion.  Am i supposed to generate a new CSR to give to the CA, do i simply install the *.domain cert?  I have read the install guide and it of course makes the assumption that you know what you're talking about, and when it comes to installing wildcards, i don't know...
  Any assistance would be greatly appreciated

  If you are already in the possession of the wildcard cert and the private key, then you don't need CSR. You can simply import the certificate in ISE:
  1. Go to Administration > Certificates > Local Certificates >  Add > Import Server Certificate
  2. Use the "browse" buttons to point to the certificate file and private key
  3. Check "Allow Wildcard Certificates"
  4. Select the protocol that you want to use it for (EAP or HTTPS or both)
  5. Hit submit
  6. Go to Certificates Store
  7. Import the root CA certificate and Intermediate CA certificate(s) (If any)
  Thank you for rating helpful posts!

• Importing Wildcard Cert into Messaging Server and Comms Express???

  Hi all, does anyone know how I can import a wildcard certificate, private key, & CA cert into Messaging Server 6.3 and Comms Express 6.3?
  We have 3 files from DigiCert that I think need to be imported:
  1) A wildcard cert from DigiCert
  2) The DigiCert CA cert
  3) The private key
  Thanks in advance,
  Stewart

  Hi, we are upgrading from iMS5.2 to SJMS6.3 later this year but in the mean time i'm trying to work out how to import the wildcard certs, key, etc from DigiCert into our current iMS5.2. I've heard it can be done.
  We're currently using a cert from Verisign in our iMS5.2 environment.
  Stewart

• ISE 1.3 and NAC

  I have a customer running 5508 WLCs across the estate, and I'm retrofitting IEEE802.1x authentication for the corporate WLAN, and WebAuth for the Guest WLAN...they have PSK at the moment :(
  They have AD and are showing great interest in ISE and NAC, so my immediate thoughts are to integrate ISE with AD, and use ISE as the RADIUS server for .1x on the WLC. Then use the WLC and ISE to do WebAuth for Guest...This is all standard stuff, but it gives the background.
  Now we get to the interesting bit...they want to run BYOD. They are involved in financial markets, so the BYOD needs to be tightly controlled. They are asking about ISE coupled with NAC, but I'm not convinced I need NAC since the arrival of ISE1.3. Obviously, I will be looking at three (min) SSIDs, namely corporate, guest and BYOD, all logically separate. I don't need anything that ISE 1.2 can't support on corporate and guest, but BYOD needs full profiling and either barring or device remediation before access to the net.
  Has anyone got any comments or suggestions? Is ISE 1.3 sufficiently NAC-like that I don't need it any more, or if that's not the case, what additional benefits does it bring that ISE can't support
  Thanks for any advice/comments/experiences
  Jim

  Hi Jim-
  Version 1.3 offers a built-in PKI and vastly improved guest services experience. The internal PKI is nice if the customer doesn't have an PKI solution in place. Keep in mind though that the internal ISE PKI can only issue certificates to BYOD devices that were on-boarded via the ISE BYOD "flow" So you cannot use the ISE PKI to issue certs to domain computers.
  With regards to NAC: You will have to clarify exactly what is needed here. If you needed to perform "posture assessment" then ISE can do it for Windows and OSX based machines. You can check for things like: A/V, A/S, Firewall Status, Windows Patches, etc. If you want to perform posture on mobile devices then you will need to integrate ISE with an MDM (Mobile Device Management) solution such as: Airwatch, Mobile Iron, Maas360, etc. ISE can query the MDM for things like: Is the device protected with a PIN, is the device rooted, is the device encrypted, etc.
  I hope this helps!
  Thank you for rating helpful posts!

• Federation with wildcard cert

  Hi,
  We have multiple SIP domains, and I am trying to reduce the number of certificates needed.
  I use a wildcard cert for one of the domains for the Edge and reverse proxy.
  It works fine to connect from outside etc. But federation is not working.
  In the DNS SRV record _sipfederationtls._tcp.domain2.com I have put the address sip.domain2.com as hostname, but it's actually pointing to a address that have the wildcard cert for *.mydomain1.com
  Is there some way to make this work without buying many certs?

  Hi,
  It is not supported to use wildcard certificate for Edge Server external interface. You need a public SAN certificate to support federation. You can use wildcard certificate for Reverse Proxy.
  For more Server Roles which wildcard certificate can be used in Lync Server environment, you can refer to the link below:
  https://technet.microsoft.com/en-us/library/hh202161.aspx
  Best Regards,
  Eason Huang  
  Eason Huang
  TechNet Community Support

• Does Convergence + messaging server 6.3 support wildcard cert ?

  Hi all,
  We plan to purchase a wildcard cert to support our convergence & messaging server SSL connection.
  from the messaging guide provide. it stated we need to generate individual private key & sent to vendor to verify
  what if we are using wildcard cert, do it work in this case ?
  Cheer
  ubd

  ubd wrote:
  So means i generate 1 wildcard cert, then apply to all other server ssl connection, or i need to generate individuallyTo use the same CA signed certificate (wildcard or otherwise) with multiple applications (Application Server and Messaging Server in this case) requires that the same private key be used across the applications. To this end you will need to export/import the certificate/keys between the applications using a utility such as pk12util.
  http://docs.sun.com/app/docs/doc/819-3671/ablrh?a=view
  http://docs.sun.com/app/docs/doc/819-4428/bgbbf?a=view
  Regards,
  Shane.

• Ironport email appliance : can i use a wildcard cert for TLS ?

  Hi all,
  We have 2 ironport C170 email appliance. I would like to use a wildcard SSL Cert from Digicert for TLS communication. I have 2 questions about it : 
  1/ Is it possible to use wildcard certificat on ironport ?
  2/ Is there any known problem with wildcard certificat for TLS use ?
  I found 2 (old) post about that :
  https://supportforums.cisco.com/discussion/10479161/tls-support-wildcard-cert
  http://www.symantec.com/connect/forums/someone-wants-enforce-tls-us-and-use-wildcard-cert
  Does someone has experience about it ?
  Thanks.

  My experience is that it works fine.
  If you have multiple domains, you have to make sure that the MX records point to the A record of the box you have certs for.
  eg. something like this:
  mx domain1.com  smtp.domain2.com
  mx domain2.com  smtp.domain2.com
  a smtp.domain2.com  x.x.x.x

• Help! GoDaddy Wildcard Cert

  My organization has finally purchased a wildcard cert from GoDaddy to use on our servers across the board due to how newer browsers are being more vocal about using self signed certs.
  In going through the process of getting the cert issued I keep getting my CSR rejected by GoDaddy by following the instructions from what GoDaddy wants and how to create the CSR. Since I've only really used self signed certs to this point I'm not 100% sure if I am doing things correctly especially given that I'm kind of making some assumptions as my CSR export instructions are a little dated. Are there updated instructions for creating the CSR to a format that GoDaddy will like?
  Thanks!

  For creation these are helpful:
  http://www.digicert.com/csr-creation...consoleone.htm
  http://nl.globalsign.com/en/support/.../generate+csr/
  Example of a "subject name": .CN=*.domain.com.OU=IT.O=Name of your
  Organization.L=City.S=State.C=US
  You did NOT follow the proper steps to import the certificate (I know it
  from experience)
  Your only option now is to restore the certificate object that was used for
  CSR from good backup into eDirectory (I hope you have it...) and then do the
  following (exactly):
  http://www.digicert.com/ssl-certific...consoleone.htm
  Once done you can create new certificate for each NW server & replace public
  & private key with the Godaddy & your wildcard & point each instance of
  Apache to such certificate.
  The setup work beautifully, I have been using it for over 5 years now)
  As you can export .pfx from the certificate object with use of openssl you
  can use it just about anywhere else (but not in APC UPS devices!)
  Seb
  "marklar23" <[email protected]> wrote in message
  news:[email protected]...
  >
  > I made the CSR from NetWare. It looks like the last time that I tried
  > yesterday did take, I had to change the order of the CN and O in the
  > cert string. Now after I imported the certificate and try to validate
  > it, I get Invalid with Certificate Revocation List Invalid. Any
  > suggestions?
  >
  > AndersG;2014252 Wrote:
  >> Marklar23,
  >> > In going through the process of getting the cert issued I keep
  >> getting
  >> > my CSR rejected by GoDaddy by following the instructions from what
  >> > GoDaddy wants and how to create the CSR.
  >> >
  >> And do they say what is wrong wth it? Also: Is this NetWare or Linux?
  >>
  >> - Anders Gustafsson (Sysop)
  >> The Aaland Islands (N60 E20)
  >>
  >>
  >> Novell has a new enhancement request system,
  >> or what is now known as the requirement portal.
  >> If customers would like to give input in the upcoming
  >> releases of Novell products then they should go to
  >> http://www.novell.com/rms
  >
  >
  > --
  > marklar23
  > ------------------------------------------------------------------------
  > marklar23's Profile: http://forums.novell.com/member.php?userid=5123
  > View this thread: http://forums.novell.com/showthread.php?t=419035
  >

• Wildcard Cert

  Sun Java(tm) System Messaging Server 7.3-11.01 64bit (built Sep 1 2009)
  libimta.so 7.3-11.01 64bit (built 19:44:36, Sep 1 2009)
  Using /opt/sun/comms/messaging64/config/imta.cnf (compiled)
  SunOS wpg-com1 5.10 Generic_141445-09 i86pc i386 i86pc
  I have a wildcard cert that was generated for apache. How can I add this to COMs.

  shjorth wrote:
  karl.rossing wrote:
  I have a wildcard cert that was generated for apache. How can I add this to COMs.The following URL may help (section prior to pull-config):
  http://blogs.sun.com/nsegura/entry/migrating
  Regards,
  Shane.Thanks! That helped a lot
  I was able to run openssl pkcs12 -export -out server.pk12 -in server.crt -inkey server.key -nodes -name "ALIAS" and then msgcert import-cert server.pk12
  This would be usefull information on http://wikis.sun.com/display/CommSuite/Configuring+Encryption+and+Certificate-Based+Authentication . Should I add it myself?

• CSS11506 - Wildcard cert ??

  We have a need to terminate multiple SSL websites on our CSS. So name1.test.com
  name2.test.com, name3.test.com etc. The problem I have found is that I need to burn 1 public VIP per SSL connection b/c they all need to use tcp 443 inbound and point to their respective cert on the CSS. Is there anyway to possibly generate a wildcard cert that matched only the last part of our domain name ( events.test.com = *.test.com ) and then get away with using only 1 VIP for the multiple sub domains ??
  Thanks for your help.
  Cheers
  Dave

  CSS can use wildcard certificate just as it uses typical server certificates.
  If you are using the CSS to create the CSR, you would use a wildcard common name
  - A "*" wildcard character MAY be used as the left-most name component in the certificate. For example, *.example.com would
  match a.example.com, foo.example.com, etc. but would not match
  example.com.
  Syed

• Importing Wildcard Cert into Web Server???

  Hi all, does anyone know how I can import a wildcard certificate, private key, & CA cert into the Sun Java Web Server ?
  We have a wildcard certificate from DigiCert that I want import into the web server. There are 3 files in total:
  The files are:
  1) The wildcard cert
  2) The DigiCert CA cert
  3) The private key
  I've been playing around with tools like certutil, pk12util, and the web server admin GUI but so far no success.
  Thanks in advance,
  Stewart

  The private key and cert files are in PEM format. The two certs were supplied to us by DigiCert. We are currently using these files with Apache without any problems.
  Now we want to use them with the Sun Java web server.
  I think i've successfully imported them as show below.....
  # /opt/SUNWwbsvr7/bin/certutil -d /var/opt/SUNWwbsvr7/<instance-name>/config -L
  DigiCert Global CA - Entrust.net CT,,
  my-wildcard u,u,u
  # /opt/SUNWwbsvr7/bin/certutil -d /var/opt/SUNWwbsvr7/<instance-name>/config -K
  <0> my-wildcard
  In the web server admin gui, however, no certs are displayed.
  Stewart

• Rdpsign and wildcard certificate

  Hi,
  All is working fine with rdp sign and I can sign file with thumbprint of our wildcard certificate, but when running file I still have a message "Do you trust the publisher of this remote connection?". It's not yellow with warning, but a warning
  anyway. I can see a message:
  Publisher: *.domain.com (our wildcard certificate)
  Remote computer: rds.domain.com
  Gateway server: rdg.domain.com
  Is this normal for rdg files signed with wildcard cert used for RDS deployment?
  Best,
  Marcin

  Hi Marcin,
  Do you need any other assistance?
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• ISE 1.2 and iPEP Certificate Requirements

  Hi,
  For 1.1.x version of ISE, there are some constraints regarding the certificates used for iPEP and Admin:
  Both EKU attributes should be disabled, if both EKU attributes are disabled in the Inline Posture certificate, or both EKU attributes should be enabled, if the server attribute is enabled in the Inline Postur  certificate.
  [http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml]
  Does the same thing applies for iPEP in ISE 1.2? The User Guide for ISE 1.2 and Hardware Installation Guide doesn't mention anything about EKU and specific certificate attributes..
  Any thoughts?
  Thank you,
  Octavian

  The EKU validation has been removed in version 1.2
  "If you configure ISE for services such as Inline  Policy Enforcement Point (iPEP), the template used in order to generate  the ISE server identity certificate should contain both client and  server authentication attributes if you use ISE Version 1.1.x or  earlier. This allows the admin and inline nodes to mutually authenticate  each other. The EKU validation for iPEP was removed in ISE Version 1.2,  which makes this requirement less relevant."
  Source:
  http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bff108.shtml