https://community.cisco.com/t5/network-access-control/using-ise-ca-to-sign-csrs/m-p/3422251#M520596 <HTML><HEAD></HEAD><BODY><P>If CSRs as in certificate signing requests and if they are conforming to the certificate templates in ISE, then ISE may sign them as George already pointed out.</P><P></P><P>In case CSR as in Cisco Cloud Services Router, then <SPAN style="font-size: 10pt;">ISE internal CA is not currently supporting to issue certificates for Cisco IOS devices, last I checked. It's because Cisco IOS requiring the certificate with Key-encipherment, digital-signature, or both, and the CA certificates in ISE internal CA chains are not meeting that.</SPAN></P></BODY></HTML> Mon, 23 Oct 2017 17:10:12 GMT hslai 2017-10-23T17:10:12Z https://community.cisco.com/t5/network-access-control/using-ise-ca-to-sign-csrs/m-p/3422249#M520585 <HTML><HEAD></HEAD><BODY><P>I have an ISE deployment that is currently using AD for auth of users. I would like to use certificates to verify the machine identity, one thing that is holding me back is that the deployment has no PKI.</P><P></P><P>As ISE can function as a CA, is it possible to create CSRs on the endpoints and then use the ISE CA to sign them? These are static endpoints and not BYOD, so once the certs are pushed out there is little ongoing admin.</P></BODY></HTML> Mon, 23 Oct 2017 10:03:34 GMT https://community.cisco.com/t5/network-access-control/using-ise-ca-to-sign-csrs/m-p/3422249#M520585 cat5__utp 2017-10-23T10:03:34Z https://community.cisco.com/t5/network-access-control/using-ise-ca-to-sign-csrs/m-p/3422250#M520591 <HTML><HEAD></HEAD><BODY><P>Does this help?</P><P></P><P>https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/certificate_provisioning/b_certificateprovisioningportalFAQs.html#reference_BCF69D6F74A547AB93079B75B94231A2__Q1</P><P></P><P>https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200534-ISE-2-0-Certificate-Provisioning-Portal.html</P></BODY></HTML> Mon, 23 Oct 2017 16:48:55 GMT https://community.cisco.com/t5/network-access-control/using-ise-ca-to-sign-csrs/m-p/3422250#M520591 gbekmezi-DD 2017-10-23T16:48:55Z https://community.cisco.com/t5/network-access-control/using-ise-ca-to-sign-csrs/m-p/3422251#M520596 <HTML><HEAD></HEAD><BODY><P>If CSRs as in certificate signing requests and if they are conforming to the certificate templates in ISE, then ISE may sign them as George already pointed out.</P><P></P><P>In case CSR as in Cisco Cloud Services Router, then <SPAN style="font-size: 10pt;">ISE internal CA is not currently supporting to issue certificates for Cisco IOS devices, last I checked. It's because Cisco IOS requiring the certificate with Key-encipherment, digital-signature, or both, and the CA certificates in ISE internal CA chains are not meeting that.</SPAN></P></BODY></HTML> Mon, 23 Oct 2017 17:10:12 GMT https://community.cisco.com/t5/network-access-control/using-ise-ca-to-sign-csrs/m-p/3422251#M520596 hslai 2017-10-23T17:10:12Z https://community.cisco.com/t5/network-access-control/using-ise-ca-to-sign-csrs/m-p/3422252#M520598 <HTML><HEAD></HEAD><BODY><P>HI, Thank you so much for your helpful answer, thats cleared it up for me. Certificate signing requests was indeed what I was looking at instead of cloud services routers. </P></BODY></HTML> Fri, 27 Oct 2017 08:27:16 GMT https://community.cisco.com/t5/network-access-control/using-ise-ca-to-sign-csrs/m-p/3422252#M520598 cat5__utp 2017-10-27T08:27:16Z