Solved: Impact of disabling Internal CA on ISE

umahar · ‎06-07-2019

Is there any impact of disabling internal CA in a distributed cluster if we are not using internal CA to issue any certs to endpoints or for any other pxGrid clients ?

I know a distributed cluster has its own PKI hierarchy starting with root CA from PAN.

Is there any impact to adding new nodes after disabling internal CA ?

hslai · ‎06-09-2019

The others are correct if the ISE deployments are of ISE 2.4 or prior.

In ISE 2.6 distributed deployments, ISE internal CA is also used to issue certificates for ISE Messaging Service (which provides ISE Light Session Directory) so we should not disable it.

View solution in original post

Mike.Cifelli · ‎06-07-2019

You should be ok since the new nodes will use self-signed certs, which will give you time to generate CSRs to get certs from whatever external CA you use. I would double check to ensure that your ISE internal CA has not issued any certs that you may be unaware of just to ensure that nothing breaks. HTH!

Jason Kunst · ‎06-07-2019

The internal CA is only for issuing certs to PXGRID clients and endpoints authentication to ISE using TLS. Otherwise why would you need the internal CA enabled?

Requesting CSRs for external CA has nothing to do with internal CA AFAIK

Mohammed al Baqari · ‎06-07-2019

Short answer is no if you aren't using it for distributing certs

hslai · ‎06-09-2019

The others are correct if the ISE deployments are of ISE 2.4 or prior.

In ISE 2.6 distributed deployments, ISE internal CA is also used to issue certificates for ISE Messaging Service (which provides ISE Light Session Directory) so we should not disable it.