cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1990
Views
0
Helpful
7
Replies

Cisco ISE 1.3 internal CA

Rafael Mendes
Level 2
Level 2

Hello Everyone,

I'm deploying the 1.3 version of ISE(new), i have a distribute environment, with two machines for admin/log personas and two machines for psn's.

The problem that i need to solve is about the internal CA, i installed one ISE 1.1 one year ago and i used an external CA certificate based to do the authentication via eap and gui admin console with no problems, on this new instalation i'd like to use the internal CA, but the documentation is very poor and i don't found how i can initiate this setup using the internal CA.

I know that the CA is the admin primary machine, but i don't know what i need to do(using the gui) to generate the certs of the other machines and register the nodes using the certificates generated by this internal CA.


Can you help me with this?

Thanks a lot.

 

1 Accepted Solution

Accepted Solutions

Exactly.

 

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

View solution in original post

7 Replies 7

mohanak
Cisco Employee
Cisco Employee
the internal ca is positioned as a ca for byod 
device onboarding and not an enterprise ca replacement (for example getting 
certs onto customer servers or for managed assets such as corporate pcs) again 
this is for byod use case

So i can't use the Internal CA to generate the certificates for the other nodes to do the syncronization?

 

For the other ISE Nodes, create a self-signed cert on that node (this must be done prior to registering it to the Primary Admin Node or it fails) and export the cert.  Import the node Self-Signed Cert into the Trusted Certificates store on the Admin Node.  You can then register the node.

Do this for all node types.  The IPN is vastly different, and the ISE 1.2 Installation guide details those steps. (ISE 1.3 uses the ISE 1.2 IPN)

 

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

Ok, i know that.

But the question is, if i want to do the certificates integration of nodes using the internal CA(like a external CA, generating the CSR's and binding the certificates) is it possible?

 

No.  You bind the CSR from your Admin node to the External Root CA.  Once the other nodes are registered, the bound cert is copied down to that other node.  The bound cert is normally a wildcard cert.

Notice that I have three nodes in this deployment with a single wildcard cert to the nodes that are in my Trusted Certificates store.  The wildcard cert is transferred automatically.

 

 

Ok, thanks.

Where can i import the root certificate of my CA based on these menus? Trusted Certificates, right?

 

 

Exactly.

 

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton