Solved: Re: Using ISE Internal CA as a Corporate PKI

datomkin · ‎03-23-2018

Hello,

I have a customer that is currently looking at redesigning their current PKI. They wish to use the Internal CA feature as an intermediary of a external root for the provisioning point for all of their corporate assets including MS devices. This would not be for a BYOD function but the corporate authentication.

This is not something I have seen in the past or advised outside of a BYOD/Pxgrid use- Typically and MS CA or 3rd Party function. So I have some questions if I may:

Is this a supported design for the Internal CA?
Are there any scale issues or limits?
If this is supported, what are the major consideration or limitations.
1. I assume a lack of auto enrollment and user interaction is required in general?.

Endpoint count is in the realm of 100K

Thanks in advance!

Dave

hariholla · ‎03-25-2018

Is this a supported design for the Internal CA?

[A] ISE is supported to function as a Sub-CA, however it is not intended for purposes beyond BYOD and pxGrid

Are there any scale issues or limits?

[A] ISE distributed deployment can support up to 1 million user certificates ISE Performance & Scale

If this is supported, what are the major consideration or limitations.

- I assume a lack of auto enrollment and user interaction is required in general?.

[A] Yes, auto-enrollment won’t work. The certificate template is not customizable. No option for machine certs if necessary. Not sure if GPO for supplicant configuration will work, may have to do the supplicant configuration manually, which needs local admin rights on the endpoint. The other option to consider is to use the native supplicant provisioning flow to automate the certificate installation and supplicant configuration.

~Hari

View solution in original post

Jason Kunst · ‎03-23-2018

I don’t quite understand what they want to do?

Are you trying to do certificate provisioning thru ISE acting as the SCEP server? But outside of the BYOD flow?

If that’s the case it’s not something tested therefore supported and would be completely up to customer to investigate

paul · ‎03-23-2018

I don't see why they would want to go through the pain of doing this. ISE would not support autoenrollment for MS devices. They would all have to through the client provisioning portal to get a cert. The ISE internal CA should be used for one off provisioning in my opinions not as an enterprise issuing server.

hariholla · ‎03-25-2018

Is this a supported design for the Internal CA?

[A] ISE is supported to function as a Sub-CA, however it is not intended for purposes beyond BYOD and pxGrid

Are there any scale issues or limits?

[A] ISE distributed deployment can support up to 1 million user certificates ISE Performance & Scale

If this is supported, what are the major consideration or limitations.

- I assume a lack of auto enrollment and user interaction is required in general?.

[A] Yes, auto-enrollment won’t work. The certificate template is not customizable. No option for machine certs if necessary. Not sure if GPO for supplicant configuration will work, may have to do the supplicant configuration manually, which needs local admin rights on the endpoint. The other option to consider is to use the native supplicant provisioning flow to automate the certificate installation and supplicant configuration.

~Hari