Phase 1: CSR Generation

Phase 1: CSR Generation (OpenSSL CLI)

CSR is generated via OpenSSL on the CLI — NOT through the ISE GUI. This gives full control over the CN and SAN fields, which is critical because the CN must NOT contain a wildcard.

OpenSSL Config File

Create this config file before generating the CSR. The CN is a specific FQDN; the wildcard goes only in the SAN.

Save as /tmp/ise-cert-renewal.cnf
cat > /tmp/ise-cert-renewal.cnf << 'EOF'
[req]
default_bits       = 4096
prompt             = no
default_md         = sha256
req_extensions     = req_ext
distinguished_name = dn

[dn]
C  = US
ST = California
L  = Los Angeles
O  = Childrens Hospital Los Angeles
OU = Information Security
CN = access2.ise.chla.org

[req_ext]
subjectAltName = @alt_names
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth

[alt_names]
DNS.1 = *.ise.chla.org
# Add individual node FQDNs if required by CA or supplicant policy:
# DNS.2 = ise-pan.chla.org
# DNS.3 = ise-psn1.chla.org
# DNS.4 = ise-psn2.chla.org
EOF

Generate Private Key + CSR

# Generate private key (4096-bit RSA)
openssl genrsa -out /tmp/ise-cert-renewal.key 4096

# Generate CSR from config
openssl req -new \
  -key /tmp/ise-cert-renewal.key \
  -config /tmp/ise-cert-renewal.cnf \
  -out /tmp/ise-cert-renewal.csr

Verify CSR Before Submitting

ALWAYS verify the CSR before sending to the CA. Confirm:

  1. CN is a specific FQDN (no wildcard)

  2. SAN contains the wildcard

  3. Key size is correct

  4. EKU includes both Server Auth and Client Auth
Verify CSR contents
# Check subject and SAN
openssl req -in /tmp/ise-cert-renewal.csr -noout -subject -text \
  | grep -E 'Subject:|DNS:'

# Full CSR dump
openssl req -in /tmp/ise-cert-renewal.csr -noout -text
Expected output
Subject: C=US, ST=California, L=Los Angeles, O=Childrens Hospital Los Angeles, OU=Information Security, CN=access2.ise.chla.org
            DNS:*.ise.chla.org

If you see CN=*.ise.chla.org — STOP. Regenerate. Windows will reject this cert for EAP.

Secure the Private Key

# Move key to d001 encrypted storage
cp /tmp/ise-cert-renewal.key data/d001/projects/ise-annual-cert-renewal/certs/ise-cert-renewal-2026.key
cp /tmp/ise-cert-renewal.csr data/d001/projects/ise-annual-cert-renewal/csr/ise-cert-renewal-2026.csr

# Encrypt the private key immediately
rm -f data/d001/projects/ise-annual-cert-renewal/certs/ise-cert-renewal-2026.key.age
encrypt-file data/d001/projects/ise-annual-cert-renewal/certs/ise-cert-renewal-2026.key

# Clean up /tmp
rm -f /tmp/ise-cert-renewal.key /tmp/ise-cert-renewal.csr /tmp/ise-cert-renewal.cnf

# Verify key is encrypted
ls -la data/d001/projects/ise-annual-cert-renewal/certs/*.age
The private key MUST be encrypted at rest. Never commit the plaintext .key file.

CA Submission Checklist

  • CSR verified: CN is specific FQDN, SAN has wildcard

  • Private key encrypted and stored in d001

  • CSR submitted to CA: method (email / portal / AD CS web enrollment)

  • Explicitly requested CA does NOT auto-add wildcard to CN — some CAs do this

  • Expected turnaround: days

  • Signed cert received: date