What are WildCard Certificates, and how do I use them with Cisco's ISE?

A breakdown of how to use WildCard certificates with 802.1X, including the addition of the wildcard value to the SAN field of a certificate.

1 2 Page 2
Page 2 of 2

Import the Root Certificates to the Certificate Store

Before we bind the newly signed certificate to the CSR on ISE, we want to ensure the signing root certificates exist in the trusted certificate store.

Note:  By performing the actions in this order, we are ensuring that all other nodes in the deployment will trust the new certificate before we bind it.

Step 1 Navigate to Administration > System > Certificates > Certificate StoreTrust for client authentication or Secure Syslog services” is enabled

Step 2 Click Import

Step 3 Click Browse and locate the certificates for the signing certificate authority, as shown in figure 14

Step 4 Provide a friendly name for these, such as “Comodo Trusted Root”

Step 5 Ensure the checkbox for “

Step 6 Click Submit

Step 7 Repeat steps 2 through 6 for any additional root CA certificates

Root CA Aaron Woland

Figure 14 - Root CA

Bind the Newly Signed Certificate to the CSR

Now that the signing root certificates exist in the trusted certificate store, we can move forward binding the newly signed certificate to the signing request.

Step 1 Navigate back to Administration > System > Certificates > Local Certificates

Step 2 Click Add > Bind CA signed Certificate

Step 3 Click Browse and locate the signed certificate from the CA

Step 4 Provide a friendly name, such as “Comodo Signed Wildcard Certificate”

Step 5 Ensure the “Allow Wildcard Certificates” check box is enabled

Step 6 Choose the protocol for this certificate to be bound to: EAP, HTTPS or both

Step 7 Click Submit

Bind the Signed Certificate to Service(s) Aaron Woland

Figure 15 - Bind the Signed Certificate to Service(s)

Reuse the Wildcard Certificate on other ISE nodes

At this point, we have generated a certificate signing request using one of our ISE nodes.  This will use the private key from that ISE node and a new Public Key that has been created with a CN of “psn.ise.local” and SAN dNSName values of “psn.ise.local” and “*.ise.local” (the wildcard).

By binding the new signed certificate to the certificate signing request, we have a brand-new Public & Private key pair on this ISE node.

Our next procedures will be to export that key-pair and import both the private and public keys on all the other Policy Service Nodes, ensuring we have the exact same certificate on all PSNs.

Export the Key Pair

From the first ISE node, navigate to the certificates section of the administrative GUI.  For dedicated Policy Services Nodes, the path will be “Administration > Server Certificates”.  If the node is also an administrative node, the path will be “Administration > Certificates > Local Certificates”.

Step 1 Select the wildcard certificate

Step 2 Click Export

Step 3 Select Export Certificate and Private Key

Step 4 Provide a password that will be used later when importing the certificate key-pair

Step 5 Click Export

Step 6 The key-pair is exported as a zip file, save that zip file to a location that be accessed quickly

Export the Key Pair Aaron Woland

Figure 16 - Export the Key Pair

Import the Key-Pair on other ISE Nodes

On your local machine, you will need to extract the zip file from procedure 1, so the two certificate files may be accessed.

Then, on one of the remaining ISE nodes, navigate to the certificates section of the administrative GUI.  For dedicated Policy Services Nodes, the path will be “Administration > Server Certificates”.  If the node is also an administrative node, the path will be “Administration > Certificates > Local Certificates”.

Step 1 Click Add > Import Server Certificate

Step 2 Click Browse for the Certificate File, and locate the certificate file from the zip file with the .pem extension (for example “CNisaaaSANhasWildcard.pem”)

Step 3 Click Browse for the Private Key File, and locate the private key file from the zip file with the .pvk extension (for example “CNisaaaSANhasWildcard.pvk”)

Step 4 Provide the password you created in Procedure 1, Step 4

Step 5 Ensure the “Allow Wildcard Certificates” check box is enabled

Step 6 Choose the protocol for this certificate to be bound to: EAP, HTTPS or both

Step 7 Click Submit

Step 8 Repeat steps 2 through 7 for all remaining ISE Nodes

Import the Key Pair Aaron Woland

Figure 17 - Import the Key Pair

Testing Results:

This section is providing a sampling of the clients that have been tested and are proven to work with the wildcard certificates.  Both Option 1 and Option 2 from the section of this document labeled “Constructing the Wildcard Certificate” were tested.   This is a sampling only, as many more devices have been tested and proven to work.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2013 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
IT Salary Survey: The results are in