Certificate Requirements for EAP-TLS

Client Certificate Requirements

Mandatory Fields

Field Requirement Example

Subject CN

Unique identifier (hostname or username)

modestus-razer.inside.domusdigitalis.dev

Subject Alternative Name

DNS name matching CN

DNS:modestus-razer.inside.domusdigitalis.dev

Key Usage

Digital Signature, Key Encipherment

digitalSignature, keyEncipherment

Extended Key Usage

Client Authentication

1.3.6.1.5.5.7.3.2

Validity

Within valid date range

1 year recommended

Recommended Fields

Field Purpose

Subject O

Organization name for policy matching

Subject OU

Organizational Unit for device classification

CRL Distribution Points

Certificate revocation checking

Server Certificate Requirements

ISE EAP certificate must have:

Field Requirement

Subject CN

ISE FQDN

Subject Alternative Name

DNS names for all ISE nodes

Extended Key Usage

Server Authentication (1.3.6.1.5.5.7.3.1)

Key Size

2048-bit RSA minimum (4096 recommended)

Certificate Chain

Both client and server must trust the complete chain:

DOMUS-ROOT-CA
└── DOMUS-ISSUING-CA
    ├── ise-01.inside.domusdigitalis.dev (server)
    └── modestus-razer.inside.domusdigitalis.dev (client)

Vault PKI Issuance

Issue client certificate from Vault:

HOSTNAME="modestus-razer"

vault write pki_int/issue/domus-client \
  common_name="${HOSTNAME}.inside.domusdigitalis.dev" \
  alt_names="${HOSTNAME}" \
  ttl="8760h"

See Vault PKI Certificate Issuance (infra-ops) for complete procedure.

Verification

# Check client certificate
openssl x509 -in /etc/ssl/certs/client-eaptls.pem -text -noout | grep -A2 "Subject:"

# Verify chain
openssl verify -CAfile /etc/ssl/certs/DOMUS-CA-CHAIN.pem /etc/ssl/certs/client-eaptls.pem