https://community.cisco.com/t5/network-access-control/is-there-a-limit-to-how-many-ca-server-cert-s-can-be-used/m-p/3423291#M536967 <HTML><HEAD></HEAD><BODY><P>Hi Alex,</P><P></P><P>There is no validated limit to the number of CA. As long as the CA root cert and/or intermediate certificate in the Trusted certificate section for the right set of services such as EAP, Admin etc, the client certificate will be validated. The AD domains ISE support can be in a single or multiple forests. </P><P>For ISE performance metrics, please see <A href="https://community.cisco.com/docs/DOC-68347">ISE Performance &amp;amp; Scale</A> community page.</P><P></P><P>Thanks</P><P>Krishnan</P></BODY></HTML> Thu, 17 Nov 2016 17:59:05 GMT kthiruve 2016-11-17T17:59:05Z https://community.cisco.com/t5/network-access-control/is-there-a-limit-to-how-many-ca-server-cert-s-can-be-used/m-p/3423290#M536966 <HTML><HEAD></HEAD><BODY><P>Here is the scenario:</P><P></P><P>50 different AD domains.</P><P> We know that ISE can support up to 50 AD domains however this is not the issue we are concerned about.</P><P>What concerns us is that each one of those 50 domains has a separate Microsoft CA / PKI environment and the client wants to perform certificate based authentication for all endpoints from all of the 50 AD domains.</P><P>I've skimmed through the 'Managing Certificates' chapter of: <A href="http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21.pdf" title="http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21.pdf">http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21.pdf</A></P><P>There does not seem to be any indication as to a limit of certificates, so then does the limit fall in the number of AD Forest that are supported (50)? You just need to pull the cert onto ISE from each CA in each forest?</P><P>Let's make the assumption whether domains or forest that there is NO two way trust.</P></BODY></HTML> Wed, 16 Nov 2016 17:52:58 GMT https://community.cisco.com/t5/network-access-control/is-there-a-limit-to-how-many-ca-server-cert-s-can-be-used/m-p/3423290#M536966 algoldst 2016-11-16T17:52:58Z https://community.cisco.com/t5/network-access-control/is-there-a-limit-to-how-many-ca-server-cert-s-can-be-used/m-p/3423291#M536967 <HTML><HEAD></HEAD><BODY><P>Hi Alex,</P><P></P><P>There is no validated limit to the number of CA. As long as the CA root cert and/or intermediate certificate in the Trusted certificate section for the right set of services such as EAP, Admin etc, the client certificate will be validated. The AD domains ISE support can be in a single or multiple forests. </P><P>For ISE performance metrics, please see <A href="https://community.cisco.com/docs/DOC-68347">ISE Performance &amp;amp; Scale</A> community page.</P><P></P><P>Thanks</P><P>Krishnan</P></BODY></HTML> Thu, 17 Nov 2016 17:59:05 GMT https://community.cisco.com/t5/network-access-control/is-there-a-limit-to-how-many-ca-server-cert-s-can-be-used/m-p/3423291#M536967 kthiruve 2016-11-17T17:59:05Z https://community.cisco.com/t5/network-access-control/is-there-a-limit-to-how-many-ca-server-cert-s-can-be-used/m-p/3423292#M536969 <HTML><HEAD></HEAD><BODY><P>If asking the max # of Trusted Certs, here are the numbers:</P><P></P><P>Maximum # User Certificates&nbsp;&nbsp;&nbsp; 1M</P><P>Maximum # Server Certificates&nbsp;&nbsp;&nbsp; 1000</P><P>Maximum # Trusted Certificates&nbsp;&nbsp;&nbsp; 1000</P><P></P><P>/Craig</P></BODY></HTML> Thu, 17 Nov 2016 18:50:46 GMT https://community.cisco.com/t5/network-access-control/is-there-a-limit-to-how-many-ca-server-cert-s-can-be-used/m-p/3423292#M536969 Craig Hyps 2016-11-17T18:50:46Z