This seems like it should work, but PKI is complicated and I'd like to ask people who can give an authoritative answer.
BACKGROUND:
I am the network engineer for a company; for sake of argument we'll call our domain thatcompany.com
.
I authenticate some BYOD wireless services through Cisco ISE (just a fancy RADIUS server), and configured it with a 90-day Comodo trial SSL cert with this SAN field Note 1:
DNS:radius01.thatcompany.com
DNS:radius02.thatcompany.com
IP:192.0.2.1
(reverse-maps to radius01.thatcompany.com)IP:192.0.2.2
(reverse-maps to radius02.thatcompany.com)
If life was simple, I would just buy the corresponding SSL cert and be done with it. However...
- I need a wildcard cert Note 2; those are roughly 50% more expensive than a normal cert (Comodo calls this a Unified Communications cert).
- Since we're spending so much, my boss wants to re-use whatever cert I buy to chain trust back to Comodo for a local thatcompany.com Windows AD local root CA, which is yet to be built. Assume the DNS name for that server is pki01.thatcompany.com.
The problem is I've already given Comodo the CSR, and that CSR doesn't have pki01.thatcompany.com in the SAN. The decision to commit to a local root CA was made after I deployed the Cisco ISE server, and I'd like to understand whether it's worth contacting Comodo to make them issue the UC Certificate against an updated CSR.
QUESTION:
If I buy the aforementioned Comodo Unified Communications wildcard certificate, is there any good reason to put the future Windows AD local root CA DNS and IP in the SAN field of the UC Certificate? Is there any other reason that we couldn't reuse this Comodo UC Wildcard Certificate to build a Windows local root CA?
Notes
Note 1: Cisco recommends that you put both your RADIUS server's explicit IP and DNS name in the SAN field.
Note 2 :
Cisco recommends that you pay for a wildcard cert (i.e. put DNS:*.thatcompany.com
in the SAN) because some EAP supplicants are broken (ref CiscoLive BRKSEC-3698 video by Aaron Woland). However, Comodo won't issue trial wildcard certs.
That's not possible - an end entity certificate issued to you will contain "Basic Constraints" properties that'll prevent it from being used as, effectively, an intermediate certificate authority.
So, you'll either need to go full-on local (making a local root, issuing a cert for the RADIUS from it, and making all devices trust it) or stick with buying all the certs you need from a public cert authority like Comodo.
The local CA makes the wildcard option more palatable, as well, since there's no extra cost to issue one of those from your own system, but I'd say probably test with your trial certificate to determine if you need to be worried about compatibility with broken EAP clients.