Guest

Cisco Identity Services Engine

Generate a Certificate for ISE that Binds to Multiple Names

Document ID: 113675

Updated: Sep 07, 2012

Contributed by Vivek Santuka, Cisco TAC Engineer.

   Print

Introduction

When guests are redirected to a Canonical Name Record (CNAME) for Cisco Identity Services Engine (ISE) or sponsors are given a short URL in order to reach the sponsor portal on ISE, they get a certificate error. This document provides a solution to this problem.

Prerequisites

Requirements

You will need to complete this procedure if:

  • You want to redirect guests to a generic URL such as guests.yourdomain.com instead of ise.yourdomain.com

  • You want to redirect sponsors to a generic URL such as sponsors.yourdomain.com instead of ise.yourdomain.com

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Problem

ISE allows only a single certificate to be installed for Management purposes. This certificate is used for all HTTP sessions terminating on ISE, including guest and sponsor sessions. Since the Subject Name of the certificate has to contain the hostname of ISE, all guest sessions will need to be redirected to the hostname of ISE. This is sometimes not desirable for security or other reasons. The general way to get around this is to use a wildcard certificate. However, ISE does not support that workaround.

This document describes how to create a certificate for ISE that maps to multiple DNS names.

Solution

ISE allows you to install a certificate with multiple Subject Alternative Name (SAN) fields. A browser reaching the ISE using any of the listed SAN names will accept the certificate without any error as long as it trusts the CA that signed the certificate.

The CSR for such a certificate cannot be generated from the ISE GUI. You will need to use openSSL in order to generate the certificate.

Complete these steps:

  1. On a host where openSSL is installed, create a configuration file with the following content. In this example, we will name it my-csr.cnf

    [ req ]
    default_bits        = 1024
    default_keyfile     = privatekey.pem
    distinguished_name  = req_distinguished_name
    req_extensions     = req_ext
     
    [ req_distinguished_name ]
    commonName            = Common Name (eg, YOUR name)
    commonName_max        = 100
     
    [ req_ext ]
    subjectAltName          = @alt_names
     
    [alt_names]
    DNS.1   = <FQDN of ISE>
    DNS.2   = sponsor.<yourdomain>
    DNS.3   = guest.<yourdomain>
  2. In the configuration file:

    • DNS.1 and commonName should be the same.

    • Modify the DNS.2 and DNS.3 as required.

    • You can add more SANs as DNS.4, DNS.5, and so on.

    • Do not change the value of commonName in the configuration file. The actual commonName will be set in the next step.

  3. Generate the CSR using this command:

    openssl req -new -nodes -out newise.csr -config csr.cnf
    
  4. You will be prompted to enter the commonName for the certificate and then the command will create two files - newise.csr and privatekey.pem. The first file contains the CSR that can be used by the CA in order to generate a certificate.

  5. Once you have the certificate file, verify the SAN fields using the following command. For this example, the certificate filename is assumed to be my-newise-cert.pem:

    openssl x509 -text -in my-newise-cert.pem
    

    In the output of the above command, look for output similar to:

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
    (...)
            X509v3 extensions:
                X509v3 Subject Alternative Name: 
                    DNS:myise.mycompany.com, DNS:sponsor.mycompany.com, 
                       DNS:guest.mycompany.com.com
                X509v3 Basic Constraints: 
                    CA:FALSE
                X509v3 Key Usage: 
                    Digital Signature, Key Encipherment
    (...)
    
    
  6. Once verified, use the certificate file and the privatekey.pem file in order to add the certificate and private key file to ISE. Complete these steps in order to add them:

    1. In the ISE GUI, go to Administration > Certificates > Local Certificates.

    2. Click Add, and choose Import Local Server Certificate.

    3. In the Certificate File field, choose the certificate file generated by the CA.

    4. In the Private Key File field, choose the privatekey.pem file generated above.

    5. In the Protocol section, choose Management Interface: Use certificate to authenticate the web server (GUI).

    6. Click Submit.

Related Information

Updated: Sep 07, 2012
Document ID: 113675