topic Re: ISE pxGrid client/server certificate creation and renewal in Network Access Control

ISE pxGrid client/server certificate creation and renewal

JaseNL — Tue, 15 Jul 2025 11:48:33 GMT

I am setting up a number of servers as pxGrid clients and I have a couple of questions about what's possible and what's best practice.

1. Is it possible to generate a client/server certificate using a private key generated locally on the server?

2. All the documentation I've seen up till now describes renewing the client/server certificate from the GUI. Are there any facilities for automating this?

Thanks

Re: ISE pxGrid client/server certificate creation and renewal

Greg Gibbs — Tue, 15 Jul 2025 22:08:07 GMT

1. If you're talking about a private key generated on an external server, then yes. You can generate a private key and CSR on an external server, have it signed by your CA (using a template with both the Client and Server Auth EKUs), then import the key and signed certificate into ISE for the pxGrid usage.
On ISE directly, you can only generate the CSR (which generates the private key stored internally). Only after binding the signed certificate to the CSR in ISE are you able to export the private key (with the certificate).

2. Yes, there are APIs and IaC tools (Ansible, Terraform) for performing the same Certificate operations as in the GUI.
https://developer.cisco.com/docs/identity-services-engine/latest/certificate-openapi/

Re: ISE pxGrid client/server certificate creation and renewal

JaseNL — Tue, 15 Jul 2025 22:57:38 GMT

Thanks, that's clear.