Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1910
Views
0
Helpful
7
Replies

Cisco ISE 1.3 internal CA

Go to solution
Rafael Mendes
Level 2
Level 2

‎12-08-2014 03:16 PM - edited ‎03-10-2019 10:15 PM

Hello Everyone,

I'm deploying the 1.3 version of ISE(new), i have a distribute environment, with two machines for admin/log personas and two machines for psn's.

The problem that i need to solve is about the internal CA, i installed one ISE 1.1 one year ago and i used an external CA certificate based to do the authentication via eap and gui admin console with no problems, on this new instalation i'd like to use the internal CA, but the documentation is very poor and i don't found how i can initiate this setup using the internal CA.

I know that the CA is the admin primary machine, but i don't know what i need to do(using the gui) to generate the certs of the other machines and register the nodes using the certificates generated by this internal CA.


Can you help me with this?

Thanks a lot.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to Rafael Mendes

‎12-16-2014 05:53 AM

Exactly.

 

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

View solution in original post

0 Helpful
7 Replies 7

Go to solution
mohanak
Cisco Employee
Cisco Employee

‎12-09-2014 02:58 AM 

the internal ca is positioned as a ca for byod 
device onboarding and not an enterprise ca replacement (for example getting 
certs onto customer servers or for managed assets such as corporate pcs) again 
this is for byod use case
0 Helpful

Go to solution
Rafael Mendes
Level 2
Level 2
In response to mohanak

‎12-09-2014 03:11 AM

So i can't use the Internal CA to generate the certificates for the other nodes to do the syncronization?

 

0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to Rafael Mendes

‎12-09-2014 04:48 AM

For the other ISE Nodes, create a self-signed cert on that node (this must be done prior to registering it to the Primary Admin Node or it fails) and export the cert.  Import the node Self-Signed Cert into the Trusted Certificates store on the Admin Node.  You can then register the node.

Do this for all node types.  The IPN is vastly different, and the ISE 1.2 Installation guide details those steps. (ISE 1.3 uses the ISE 1.2 IPN)

 

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

0 Helpful

Go to solution
Rafael Mendes
Level 2
Level 2
In response to Charlie Moreton

‎12-09-2014 04:53 AM

Ok, i know that.

But the question is, if i want to do the certificates integration of nodes using the internal CA(like a external CA, generating the CSR's and binding the certificates) is it possible?

 

0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to Rafael Mendes

‎12-09-2014 04:59 AM

No.  You bind the CSR from your Admin node to the External Root CA.  Once the other nodes are registered, the bound cert is copied down to that other node.  The bound cert is normally a wildcard cert.

Notice that I have three nodes in this deployment with a single wildcard cert to the nodes that are in my Trusted Certificates store.  The wildcard cert is transferred automatically.

 

 

Preview file
30 KB
0 Helpful

Go to solution
Rafael Mendes
Level 2
Level 2
In response to Charlie Moreton

‎12-16-2014 05:47 AM

Ok, thanks.

Where can i import the root certificate of my CA based on these menus? Trusted Certificates, right?

 

 

0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to Rafael Mendes

‎12-16-2014 05:53 AM

Exactly.

 

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

0 Helpful
Customers Also Viewed These Support Documents