cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

106
Views
2
Helpful
3
Replies
Highlighted
Rising star

How can I automate ISE certificate store sync with CUCM certificate store?

Hi everyone,

As far as I can tell, there is no out of box support for syncing the two certificate stores.

I'm hoping this will be added in a future release, since it's an obvious ecosystem caveat.

Is there a REST based method to extract certificates from CUCM store and push them into ISE by REST? I'd imagine the CAPF and CAPF-Trust certs will suffice for a Mixed Mode CUCM deployment.

Thanks!

Everyone's tags (3)
3 REPLIES 3
Advocate

Re: How can I automate ISE certificate store sync with CUCM certificate store?

There is currently no API for pushing/pulling certs from ISE.  Cannot speak for CUCM.

Cisco Employee

Re: How can I automate ISE certificate store sync with CUCM certificate store?

If using the certificates for EAP-TLS, there is no need to sync or import individual end-entity certificates to ISE. Instead, ISE needs only the root CA and/or any of intermediate CA certificates imported and trusted for client authentication.

Rising star

Re: How can I automate ISE certificate store sync with CUCM certificate store?

Hi,

Keep in mind that the CA for signing phones (CAPF) is self signed by the CUCM cluster. This means that its public cert needs to be uploaded into ISE in order for phones to be able to authenticate for 802.1x with ISE.

Yes, it is possible to use your own CA as a CAPF but then provisioning phones becomes way too cumbersome.