cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

368
Views
0
Helpful
3
Replies
rwehe
Cisco Employee

Can ISE use a Windows certificate store as a posture condition?

Our customer is not yet using certificates for ISE authentication and are in the processing of deploying CA and PKI services to enable certificate enrollment. They want to audit the population of devices that still don’t have a certificate before enabling certificate based authentication. They want to see if they can use an ISE posture condition in audit mode to collect statistics on this.

 

Is it possible to create a posture condition in ISE to query the cert store on Windows to identify if a cert has been issued by a specific, user defined CA?

3 REPLIES 3
Aravind Ravichandran
Participant

Hi,

Create a registry conditions with the following path for machine certificate 

HKEY_LOCAL_MACHINE/Software/Microsoft/SystemCertificate with required key as mentioned in this link https://docs.microsoft.com/en-us/windows/desktop/seccrypto/system-store-locations  

 

-Aravind 

 

 

-Aravind

Thanks for the thought Aravind - I checked the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\<MY | Root | Trust | CA> and each certificate appears as a Blob. They're also different from machine to machine. I'm not sure this will work as I don't see how to get the CA from a Blob and into ISE.

Technically speaking, you can simply at the end of the day it is a hex dump and you will find bits and pieces of what you are looking for. For example, you can find the issuer name some where lurking in there. You can look for registry value contains say "4d 69 63 72 6f 73 6f 66 74 20 52 6f 6f 74 20 43 41" for "Microsoft Root CA" . It is not an acceptable solution as such but a very very dirty workaround and not a 100% accurate one.
Content for Community-Ad