cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1850
Views
0
Helpful
3
Replies
Highlighted
Cisco Employee

ISE and PKI

Got this question on an internal email alias.

Q:  Can ISE function as a root CA in a PKI? So far not having any lucking finding info. Customer is currently using a 2901 router as the certificate authority for a DMVPN. Need to scale this and perhaps have something besides a router performing the root certificate authority function but have routers as subordinate CAs in various geographies.

A1:  Short answer:  ISE can and does act as a root in a PKI, but cannot do what you are asking today.

A2:  Longer answer:  As of today (ISE 2.0) and including the upcoming 1HCY16 release (ISE 2.1), the ISE certificate authority is designed only as a BYOD certificate authority.  It is designed to be simple and very easy to use, but powerful with enterprise CA capabilities under the covers. There are no hooks to add in any subordinate CA's other than ISE nodes themselves.  In other words, an IOS router cannot be added as a subordinate CA.  Also, ISE is currently restricted as to the types of certificates that are issued to end-entity certificates only.  In 2.1 we have the ability to choose Server and Client usages, but the extended key usages (EKU's) for IPSec encryption, etc. are not part of the ISE Certificate templates today. 

3 REPLIES 3
Beginner

Re: ISE and PKI

Aaron (and others)  Has this changed as of v2.4?  We're looking for ISE to be the CA for a DMVPN.

Cisco Employee

Re: ISE and PKI

No change in regards to internal CA use with current version of ISE.

Beginner

Re: ISE and PKI

Aaron (and others)  Has this changed as of v2.4?  We're looking for ISE to be the CA for a DMVPN.

Everyone's tags (1)