Solved: Cisco ISE 3.0 Certificates Purposes

ifabrizio · ‎08-31-2022

Dear All,

I am starting to install a new Cisco Ise Deployment, with two Nodes, Primary and Secondary.

My question is about the external CA signed Certificates that should be imported on the two ISE Nodes.

I know that ISE needs different certificates for each usage,(should be a best practices, do not use the same caertificate for more Ise usage,please confirm):

Admin

EAP-TLS Athentication

Radius DTLS

pxGrid

Portal

My question is about the certificate extensions that should be added in the certificate templates, for each different certificate Usage?
I mean, for example, that the certificate template used for ADMIN should have different certificate extensions than the template used for EAP-TLS authentication?
Could someone tell me the differences for each certificate template usage?

Best regards,

Igor.

Rob Ingram · ‎09-01-2022

@ifabrizio only the pxGrid certificate requires Client and Server authentication EKU, the other certificates are fine just using the "Web Server" certificate template as already noted.

https://community.cisco.com/t5/security-knowledge-base/how-to-implement-digital-certificates-in-ise/ta-p/3630897

EDIT - the ISE messaging service also requires Client and Server authentication EKU. https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/b_ISE_admin_30_basic_setup.html?bookSearch=true

View solution in original post

ahollifield · ‎08-31-2022

These questions are really questions for your PKI admin, not really your ISE deployment. Do your PKI policies permit using the public/private key-pair with more than one service? With ISE, standard "Web server" templates typically work just fine. Again "Web Server" template depends on your individual PKI and policies.

ifabrizio · ‎09-01-2022

Hi Ahollifield,

Thank you for your reply. I agree with you this is a question form my PKI Admin, but unfortunately He do not know the reply.

My PKI Policy do not permit to use the public/private key-pair with more than one service.

I see on the web, different configuration example about EAP-TLS auth, and they use the Web Server templates.

But this template has in its extention under the Application Policy the value "Server Authentication", that it is ok for the ADMIN usage in the ISE, but it is not ok, for EAP-TLS auth.

I should add "Client Athentication" Value, I suppose? And what's about the others certificates needed for the remainig Ise Usages, for exsample the Ise Messaging and the pxGrid?

Rob Ingram · ‎09-01-2022

@ifabrizio only the pxGrid certificate requires Client and Server authentication EKU, the other certificates are fine just using the "Web Server" certificate template as already noted.

https://community.cisco.com/t5/security-knowledge-base/how-to-implement-digital-certificates-in-ise/ta-p/3630897

EDIT - the ISE messaging service also requires Client and Server authentication EKU. https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/b_ISE_admin_30_basic_setup.html?bookSearch=true

ifabrizio · ‎09-01-2022

Hi Rob,

Thank you for your reply.

I see the document you posted above, it is useful, but it is not listed which Client and Server authentication EKUs, set for each different use / certificate.
But anyway, if not there are official documents on the subject, I accept your advice, on the Client and Server authentication EKUs settings.

Rob Ingram · ‎09-01-2022

@ifabrizio I would say that is the official Cisco document. It states which certificate type requires additional EKUs over an above the attributes contained with the standard certificate template.