topic ISE 2.3 as intermediate CA und Microsoft Root CA in Network Access Control

ISE 2.3 as intermediate CA und Microsoft Root CA

nw-team01 — Tue, 11 Sep 2018 14:08:52 GMT

Hello,

I am trying to Bind CA Signed Certificate to the CSR generated for intermediate CA.

The root ca is a Microsoft Server 2012R2

ISE is Version 2.3

When binding the certificate, i get the following error:

Certificate does not comply with intermediate certification authority template.

The certficate i am trying to bind, looks fine to me:

Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)

Has anyone encountered this issue before?

I'm guessing something is wrong with our Root ca, but who knows.

Any help is appreciated.

Re: ISE 2.3 as intermediate CA und Microsoft Root CA

howon — Tue, 11 Sep 2018 14:53:33 GMT

Suggest looking at ise-psc.log. The log should provide information on why the certificate was rejected.

Re: ISE 2.3 as intermediate CA und Microsoft Root CA

paul — Tue, 11 Sep 2018 15:09:33 GMT

I can't see your EKU settings. Do you have both client and server authentication enabled?

Re: ISE 2.3 as intermediate CA und Microsoft Root CA

nw-team01 — Wed, 12 Sep 2018 13:05:09 GMT

Yes, i have both client server authentication enabled.

I searched the ise-psc.log. I can't find anything conclusive, i've attached the log segment from when attempting to bind the certificate.

Re: ISE 2.3 as intermediate CA und Microsoft Root CA

howon — Wed, 12 Sep 2018 20:31:00 GMT

Try bumping up the ca-service log under Administration -> System -> Logging -> Debug Log Configuration to debug and go through bind process again.

Re: ISE 2.3 as intermediate CA und Microsoft Root CA

kthiruve — Wed, 12 Sep 2018 20:51:02 GMT

Please see if you are using the right template in the CA to create the certificate.

Here is more information

ISE Intermediate CA—(Applicable only for the internal CA service when ISE acts as an intermediate CA of an external PKI) Used to generate an intermediate CA certificate on the Primary PAN and subordinate CA certificates on the PSNs. The certificate template on the signing CA is often called a Subordinate Certificate Authority. This template has the following properties:
- Basic Constraints: Critical, Is a Certificate Authority
- Key Usage: Certificate Signing, Digital Signature
- Extended Key Usage: OCSP Signing (1.3.6.1.5.5.7.3.9)

Thanks

Krishnan

Re: ISE 2.3 as intermediate CA und Microsoft Root CA

nw-team01 — Thu, 13 Sep 2018 14:14:35 GMT

This ist the only useful message i'm getting from the log file, after setting debug condition:

Error occurred while verifying certificates for host: svtg001ise01.tg-cee.net. com.cisco.epm.cert.validator.CertPathVerificationException: Certificate Signature Verification failed

I created a Policy.inf file to generate the certificate, please see attached.

As it is a offline root ca, there are no (visible) certificate templates. The only thing i can influence, is the .inf file.

I have the root ca certificate imported under trusted certificates.

I'm running out of Ideas 😞

Re: ISE 2.3 as intermediate CA und Microsoft Root CA

Jason Kunst — Thu, 13 Sep 2018 15:04:45 GMT

Would recommend troubleshoot through TAC.

Also consider do you truly need to add ISE to be part of the PKI? If you’re doing BYOD onboarding using Native supplicant and certificate provisioning then use ISE self contained. It just works out of the box with minor setup ☺

Re: ISE 2.3 as intermediate CA und Microsoft Root CA

Eric Pineda — Fri, 24 May 2019 21:06:15 GMT

Hi,

This was probably already solved for you but if someone else runs into this, make sure to use a SubCa (Subordinate Certification Authority) as the certificate template from Microsoft CA.

In my lab this is what the cert has and it works for ISE's intermediate CA:

EKU

Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)
OCSP Signing (1.3.6.1.5.5.7.3.9)

Key Usage

Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)

The template has Basic Constraint as: "The subject is a certification authority (CA)." Critical extension.