Phase 1: CSR Generation & Renewal (Standard Procedure)

Phase 1: CSR Generation & Certificate Renewal (Standard Procedure)

Overview

This procedure covers the annual renewal of the ISE wildcard certificate used across all ISE services. The certificate uses a specific hostname in the Common Name (CN) field with a wildcard in the Subject Alternative Name (SAN) field. This structure is required for compatibility with Windows 802.1X authentication.

Certificate Requirements

Field Requirement

Common Name (CN)

A specific FQDN — e.g., access2.ise.chla.org. Must NOT be a wildcard.

Subject Alternative Name (SAN)

*.ise.chla.org — wildcard is placed here only

Key Size

2048 or 4096-bit RSA

Signature Algorithm

SHA-256

Extended Key Usage

Server Authentication, Client Authentication

Validity

1 year

Certificate Authority

confirm: internal CA (CHLASUBCA) or external

The Common Name (CN) field must not contain a wildcard (*). Windows endpoints will reject the certificate during 802.1X authentication if the wildcard appears in the CN. This is a known limitation documented by both Cisco (CSCuh22029) and Microsoft.

Some Certificate Authorities will automatically add the wildcard to the CN even if the CSR does not include it. Verify the signed certificate before importing into ISE.

Step 1: Generate CSR from ISE

  1. Navigate to Administration > System > Certificates > System Certificates

  2. Click Generate Certificate Signing Request (CSR)

  3. Fill in the following:

Field Value

Certificate Usage

Multi-Use (Admin, EAP Authentication, Portal, pxGrid)

Common Name (CN)

access2.ise.chla.org

Organization (O)

Childrens Hospital Los Angeles

Organizational Unit (OU)

Information Security

City (L)

Los Angeles

State (ST)

California

Country ©

US

SAN (DNS)

*.ise.chla.org

Key Type

RSA

Key Length

4096

Digest to Sign With

SHA-256

  1. Click Generate

  2. Click Export CSR — save the .pem file

Step 2: Verify the CSR

Before submitting to the Certificate Authority, verify the CSR contents:

  • Open the CSR file in a text editor or use an online CSR decoder

  • Confirm the CN is the specific FQDN (not a wildcard)

  • Confirm the SAN contains the wildcard (*.ise.chla.org)

Step 3: Submit CSR to Certificate Authority

  1. Submit the CSR to the CA using the standard process (email / web portal / AD CS web enrollment)

  2. Explicitly request the CA does NOT modify the CN field

  3. Record the submission date and expected turnaround

  4. When the signed certificate is received, proceed to Step 4

Step 4: Verify the Signed Certificate

Before importing into ISE:

  • Open the signed certificate and confirm:

    • CN is access2.ise.chla.org (NOT *.ise.chla.org)

    • SAN contains *.ise.chla.org

    • Validity dates are correct

    • Issuer is the expected CA

  • If the CN contains a wildcard — reject the certificate and re-submit to the CA

Step 5: Import Certificate into ISE

  1. Navigate to Administration > System > Certificates > System Certificates

  2. Click Import

  3. Select the signed certificate file and the private key (if generated externally) or bind to the existing CSR

  4. Select certificate chain file (root CA + intermediate CA)

  5. Set Friendly Name: ISE-Wildcard-2026-renewal

  6. Check Allow Wildcard Certificates

  7. Select all applicable roles:

    • ✅ Admin

    • ✅ EAP Authentication

    • ✅ Portal

    • ✅ pxGrid

  8. Click Submit

Selecting the Admin role will trigger an ISE application service restart on this node. Perform this during the scheduled maintenance window.

Step 6: Apply to All ISE Nodes

The certificate must be imported on every ISE node in the deployment.

Node Import Complete Services Restarted

PAN (Primary Admin Node)

[ ]

[ ]

PSN 1

[ ]

[ ]

PSN 2

[ ]

[ ]

additional nodes

[ ]

[ ]

Recommended order:

  1. Import on PSN nodes first (non-primary)

  2. Verify PSN services restart successfully

  3. Import on PAN last

  4. Verify PAN services restart and deployment health

Step 7: Post-Renewal Validation

After importing on all nodes:

  • ISE Admin GUI accessible on all nodes (port 443)

  • Guest/Sponsor portal loads without certificate warnings (port 8443)

  • 802.1X authentication working — test with a Windows endpoint

  • pxGrid integrations reconnected (if applicable)

  • ISE Deployment page shows all nodes healthy: Administration > System > Deployment

Step 8: Monitor for 48 Hours

  • Monitor ISE Operations > RADIUS > Live Logs for authentication failures

  • Watch for TLS-related errors: 12511 Unexpectedly received TLS alert message

  • Confirm no increase in failed authentication rate compared to pre-renewal baseline

  • After 48 hours with no issues — renewal is complete

Rollback Procedure

If the new certificate causes authentication failures:

  1. Navigate to Administration > System > Certificates > System Certificates

  2. Select the previous certificate (backup)

  3. Reassign it to all roles (Admin, EAP, Portal, pxGrid)

  4. ISE will restart services — previous cert is restored

  5. Investigate the issue before attempting renewal again

Maintenance Window Requirements

Activity Window Needed

CSR generation

No downtime — can be done anytime

Certificate import (PSN nodes)

Brief service restart per node (~5 min each)

Certificate import (PAN)

Admin GUI temporarily unavailable (~5 min)

Full deployment restart

Not required unless inter-node trust is broken

Renewal Checklist

  • CSR generated with correct CN (specific FQDN, no wildcard)

  • CSR verified — CN and SAN correct

  • CSR submitted to CA

  • CA explicitly told not to modify CN

  • Signed certificate received and verified

  • Certificate imported on all ISE nodes

  • All roles bound (Admin, EAP, Portal, pxGrid)

  • Services restarted on all nodes

  • 802.1X authentication tested (Windows endpoint)

  • Portal access tested

  • 48-hour monitoring complete — no increase in failures

  • Old certificate backup retained