Can ISE serve as an intermediate Certificate Authority?

fitzie — Thu, 14 Jul 2022 20:26:28 GMT

My company supports multiple implementations of ISE. One of them relies upon our internal AD implementation, which utilizes both a Root certificate and an Intermediate certificate from AD, and all of the internal devices and users are also trusted by our AD as well.

In this new instance, we're building a new ISE cluster on an isolated network that is attached to an exteral entity instead of our internal AD. My assumption is that we'd submit CSRs to the external entity so the ISE servers are trusted.

My question deals with the network devices as well and the end users and end user devices. While we'll need to have each of the devices and users submit a CSR, it seems that once course of action is to submit the CSRs to the external entity, which seems inefficient. The other more desired outcome is that we can submit the CSRs to ISE, and have ISE issue certs on behalf of the external entity, serving as an intermediate CA.

Is this possible?

Re: Can ISE serve as an intermediate Certificate Authority?

Arne Bier — Thu, 14 Jul 2022 20:49:44 GMT

As far as I know, ISE can act as an intermediate only in the case of the ISE BYOD onboarding flow - ISE will forward the cert creation requests from the end devices (e.g. iOS/Android/Windows) and then forward them onto an external PKI.

Also, ISE doesn't process CSRs, unless you submit them to the internal CA. ISE has its own internal CA - but in this case, ISE is the CA (Root CA on PAN, and PSNs Issuing CAs)

The ISE Internal CA is mostly used for ISE's BYOD Feature - but you can use it for other things like pxGrid integration, and just generally creating certs for end-devices in a self-service style portal (users log in and generate a cert for themselves).

topic Re: Can ISE serve as an intermediate Certificate Authority? in Network Access Control

Can ISE serve as an intermediate Certificate Authority?

Re: Can ISE serve as an intermediate Certificate Authority?