Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
933
Views
0
Helpful
1
Replies

Can ISE serve as an intermediate Certificate Authority?

Go to solution
fitzie
Level 1
Level 1

‎07-14-2022 01:26 PM

My company supports multiple implementations of ISE.  One of them relies upon our internal AD implementation, which utilizes both a Root certificate and an Intermediate certificate from AD, and all of the internal devices and users are also trusted by our AD as well.

In this new instance, we're building a new ISE cluster on an isolated network that is attached to an exteral entity instead of our internal AD.  My assumption is that we'd submit CSRs to the external entity so the ISE servers are trusted.

My question deals with the network devices as well and the end users and end user devices.  While we'll need to have each of the devices and users submit a CSR, it seems that once course of action is to submit the CSRs to the external entity, which seems inefficient.  The other more desired outcome is that we can submit the CSRs to ISE, and have ISE issue certs on behalf of the external entity, serving as an intermediate CA.

Is this possible?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎07-14-2022 01:49 PM

As far as I know, ISE can act as an intermediate only in the case of the ISE BYOD onboarding flow - ISE will forward the cert creation requests from the end devices (e.g. iOS/Android/Windows) and then forward them onto an external PKI.

Also, ISE doesn't process CSRs, unless you submit them to the internal CA. ISE has its own internal CA - but in this case, ISE is the CA (Root CA on PAN, and PSNs Issuing CAs)

The ISE Internal CA is mostly used for ISE's BYOD Feature - but you can use it for other things like pxGrid integration, and just generally creating certs for end-devices in a self-service style portal (users log in and generate a cert for themselves).

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Arne Bier
VIP
VIP

‎07-14-2022 01:49 PM

As far as I know, ISE can act as an intermediate only in the case of the ISE BYOD onboarding flow - ISE will forward the cert creation requests from the end devices (e.g. iOS/Android/Windows) and then forward them onto an external PKI.

Also, ISE doesn't process CSRs, unless you submit them to the internal CA. ISE has its own internal CA - but in this case, ISE is the CA (Root CA on PAN, and PSNs Issuing CAs)

The ISE Internal CA is mostly used for ISE's BYOD Feature - but you can use it for other things like pxGrid integration, and just generally creating certs for end-devices in a self-service style portal (users log in and generate a cert for themselves).

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents