cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3922
Views
0
Helpful
3
Replies

ISE and PKI

Aaron Woland
Cisco Employee
Cisco Employee

Got this question on an internal email alias.

Q:  Can ISE function as a root CA in a PKI? So far not having any lucking finding info. Customer is currently using a 2901 router as the certificate authority for a DMVPN. Need to scale this and perhaps have something besides a router performing the root certificate authority function but have routers as subordinate CAs in various geographies.

A1:  Short answer:  ISE can and does act as a root in a PKI, but cannot do what you are asking today.

A2:  Longer answer:  As of today (ISE 2.0) and including the upcoming 1HCY16 release (ISE 2.1), the ISE certificate authority is designed only as a BYOD certificate authority.  It is designed to be simple and very easy to use, but powerful with enterprise CA capabilities under the covers. There are no hooks to add in any subordinate CA's other than ISE nodes themselves.  In other words, an IOS router cannot be added as a subordinate CA.  Also, ISE is currently restricted as to the types of certificates that are issued to end-entity certificates only.  In 2.1 we have the ability to choose Server and Client usages, but the extended key usages (EKU's) for IPSec encryption, etc. are not part of the ISE Certificate templates today. 

3 Replies 3

fitzie
Level 1
Level 1

Aaron (and others)  Has this changed as of v2.4?  We're looking for ISE to be the CA for a DMVPN.

howon
Cisco Employee
Cisco Employee

No change in regards to internal CA use with current version of ISE.

fitzie
Level 1
Level 1

Aaron (and others)  Has this changed as of v2.4?  We're looking for ISE to be the CA for a DMVPN.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: