Best Third Party Certificate Authority for ISE Wildcard Certificate

This article explains why you should use a wildcard certificate in your ISE deployment and which certificate provider you could obtain the certificate from.

In an ISE deployment, it is always recommended to use a wildcard certificate especially in a distributed deployment. However the cost of a wildcard certificate is usually 3-4 times higher than a regular certificate, and unless you have at least four ISE nodes in the deployment, it may not seem to economically make sense to buy a wildcard certificate. Although cost saving is certainly one of many benefits, what you actually gain from using a wildcard certificate are ease of deployment and improved user experience as follows.

• You only have one certificate to request and install on all ISE nodes
• You only have one certificate to renew
• You do not need to distribute a root CA certificate to your user devices as most of them are installed and trusted by default in the operating system
• The certificate is automatically trusted by non-company or guest devices, hence an untrusted certificate warning on guest login portal are avoided
• User devices are presented with the same certificate when they are switched to a different PSN, which results in users not being prompted to trust the certificate on a device such as iOS
• You can potentially use the same wildcard certificate on other network services such as AnyConnect SSL VPN which helps justify the cost of certificate even further. Although keep in mind that the more locations the certificate is installed on, the more exposed the certificate becomes.

To realize all the benefits mentioned above, the wildcard certificate needs to be issued by a trusted 3rd party certificate authority. The next question would be which certificate provider you should get the certificate from. One thing to keep in mind is the wildcard certificate accepted by ISE does not take a form of a regular wildcard certificate where the certificate Common Name (CN) is *.domain.com, but instead the *.domain.com appears under the Subject Alternative Name (SAN), while the CN can be anything you like.

 For example,
  Common Name = networkaccess.domain.com
  Subject Alternative Name (SAN)
   DNS Name = networkaccess.domain.com
   DNA Name = *.domain.com

Here is the video that shows how to generate and deploy a wildcard certificate on ISE 1.2

ISE 1.2 Distributed Deployment with Wildcard Certificate
 

While most of the major certificate provider can issue you a wildcard certificate with wildcard in the CN, not all them are able to include wildcard in the SAN. If you already have a corporate account with a certificate provider, what this means is if your provider cannot accommodate this, you may need to look for another provider, which can be a bit of a hassle. To save you time on finding the right provider, what I have compiled below is a list of certificate providers that I have come across throughout my ISE deployments. Please note that this information can change at any time so definitely contact your provider of choice to confirm before making a purchase.

GoDaddy
 GoDaddy is a choice of many organizations due to its low-cost service but unfortunately they do not support wildcard in the SAN. This is confirmed by their customer support agents.

VeriSign
 VeriSign is a provider being used by high-end customers, and while they do support wildcard in the SAN, it is fairly expensive and you may also need to contact their customer support to have the certificate custom-generated.

DigiCert
 DigiCert supports wildcard in the SAN and the price is also very reasonable (See link below). They also have a pay-once policy where you actually have to pay only once and they will issue you wildcard certificates in both formats (in CN and in SAN) at no additional cost. Now you can give the regular wildcard to your server team to use on their web servers, and use the SAN wildcard in your ISE deployment. The only hassle is the CSR (in the SAN format) cannot be submitted on the web so you will need to contact their customer support for custom certificate generation.

https://www.digicert.com/wildcard-ssl-certificates.htm

GeoTrust
 GeoTrust does support wildcard in the SAN and you can actually submit the CSR online and get the certificate without calling their support. The price is roughly the same as DigiCert. I am uncertain if they can issue a regular wildcard at no additional cost like DigiCert but it definitely is wise to ask.
https://www.geotrust.com/ssl/wildcard-ssl-certificates/

This is certainly not a comprehensive list and I will try to update the list as I work with more providers. If you have dealt with other providers that are not listed here, please leave your experience down in the comments below and I will add them to the list.