https://community.cisco.com/t5/network-access-control/ise-ca-certificates/m-p/3053734#M22733 <P>Technically you can use ISE as a CA. However, this is not recommended because most likely it will not scale.</P> <P>What is not clear to me is why you are trying to export the root certificate and private key and import it to another CA. Can you add more details?</P> <P>@berna_tllz</P> Wed, 24 May 2017 20:43:26 GMT Bernardino Tellez 2017-05-24T20:43:26Z https://community.cisco.com/t5/network-access-control/ise-ca-certificates/m-p/3053733#M22732 <P>I´m using ISE 2.1 as CA for BYOD and deploying user certificates to devices. Everything works fine in the provisioning and EAP authentication.</P> <P></P> <P>Taking prrofit of the ISE CA I would like to use it for other platforms, I mean servers, proxies.... I would like to know if it is possible to sing certificates for other subordinates root CA´s or servers.</P> <P></P> <P>I also exported root CA certificates and private keys by CLI,&nbsp;trying to import them to another CA server but the file is encrypted, of course I know the password, but it is a file with no format.</P> <P></P> <P>Does anyone knows if it is possible to use ISE CA as an "standard " PKI CA server?</P> <P></P> <P>Thanks.</P> Mon, 11 Mar 2019 07:44:29 GMT https://community.cisco.com/t5/network-access-control/ise-ca-certificates/m-p/3053733#M22732 alberx 2019-03-11T07:44:29Z https://community.cisco.com/t5/network-access-control/ise-ca-certificates/m-p/3053734#M22733 <P>Technically you can use ISE as a CA. However, this is not recommended because most likely it will not scale.</P> <P>What is not clear to me is why you are trying to export the root certificate and private key and import it to another CA. Can you add more details?</P> <P>@berna_tllz</P> Wed, 24 May 2017 20:43:26 GMT https://community.cisco.com/t5/network-access-control/ise-ca-certificates/m-p/3053734#M22733 Bernardino Tellez 2017-05-24T20:43:26Z https://community.cisco.com/t5/network-access-control/ise-ca-certificates/m-p/3053735#M22736 <P>Hi Bernardino.</P> <P></P> <P>I want&nbsp;to use ISE root certificate ( or to sign a subordinate Root certificate) for a proxy service and intercept SSL.</P> <P></P> <P>As my client endpoints already have this root certificate installed via the BYOD provision process I would like to take profit and avoid the necessity to distribute another certificate to my clients. Much of them are private devices and I can not control them.</P> <P></P> <P>Thanks.</P> Thu, 25 May 2017 08:37:24 GMT https://community.cisco.com/t5/network-access-control/ise-ca-certificates/m-p/3053735#M22736 alberx 2017-05-25T08:37:24Z https://community.cisco.com/t5/network-access-control/ise-ca-certificates/m-p/3053736#M22737 <P></P> <P>What you can do is to deploy a Root CA (if you don't have it yet) and make the PAN a subordinate of that CA. In that way, all the endpoint certificates will trust the Root certificate. In that scenario, you can use your Root CA to sign the proxy's certificate without trust issues from the BYOD clients. This will also help you with any other service that requires a certificate.</P> <P>The downside is that you will need to redeploy the BYOD certificates. You can read about this in the following link:</P> <P>http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_0111.html#task_E458E69FA39941BBAA9799AAD7FDC644</P> <P>&nbsp;Twitter: @berna_tllz</P> Thu, 25 May 2017 14:25:06 GMT https://community.cisco.com/t5/network-access-control/ise-ca-certificates/m-p/3053736#M22737 Bernardino Tellez 2017-05-25T14:25:06Z https://community.cisco.com/t5/network-access-control/ise-ca-certificates/m-p/3053737#M22741 <P>Yes, I already knew this.</P> <P>But my client still does not&nbsp;have PKI infrastructure and I don´t want to create it for them.</P> <P></P> <P>Thanks anyway.</P> Thu, 25 May 2017 14:46:16 GMT https://community.cisco.com/t5/network-access-control/ise-ca-certificates/m-p/3053737#M22741 alberx 2017-05-25T14:46:16Z