Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
348
Views
1
Helpful
3
Replies

Cisco ISE CA best practise

Go to solution
drr
Level 1
Level 1

‎03-27-2025 06:44 AM

Hi team,

We are using self signed certificates for EAP authentication in ISE and wondering if its possible to have one of the nodes sign both EAP-certificates for both nodes? The reason is to avoid deploying certificates for both ISE nodes to every client, but only one of the certificates. We know we can sign it with an external CA and solve it but I'm wondering if we can establish the same with the internal ISE CA.

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎03-28-2025 02:10 PM

Using ISE as a CA is not really a best practice, but you can use it as a CA if you want to. The main purpose of the ISE internal CA is to support the ISE BYOD functionality, where the ISE acts as an issuer of client certs to BYOD enrolled devices.

How exactly are you creating these "self-signed" certs?  Self-signed, literally means, that the cert is the Root and Client certificate.

Depending on your scale and use case, it doesn't take much effort to stand up an external CA such as Microsoft Server CA or even XCA, and then create a small hierarchy of Root CA and Issuing CA 1 and Issuing CA 2. You can make a Root CA cert with openssl and then create the Issuing CA 1 and 2 with openssl. Install Issung CA 1 and CA 2 on two Windows Servers and you have a redundant internal PKI. 

 In my above scenario of Issuing CA 1 and 2, I use those CAs to create the ISE EAP System Cert, as well as all the client EAP supplicants (EAP-TLS clients). In ISE you install Root CA and Issuing CA 1/2 in the Trusted Certificates store. The clients would have Root CA and Issuing CA1 and CA2 installed in their trusted certs store. The client can be issued a certificate from either CA1 or CA2.

For a small lab, I use a single XCA instance for everything and it's perfect (and free) for this purpose. I don't encourage the use of the ISE internal CA - but I would like to hear your opinion of why and how you use it. As a golden rule, I never use ISE Admin self-signed or EAP System Cert self-signed.  It's a pointless exercise as far as X.509 certificate usage goes, unless you want to spin up a quick lab in 5 minutes. But in production it's nonsense.

View solution in original post

3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-27-2025 08:42 AM

As Long as this internal CA that should be ok.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎03-28-2025 02:10 PM

Using ISE as a CA is not really a best practice, but you can use it as a CA if you want to. The main purpose of the ISE internal CA is to support the ISE BYOD functionality, where the ISE acts as an issuer of client certs to BYOD enrolled devices.

How exactly are you creating these "self-signed" certs?  Self-signed, literally means, that the cert is the Root and Client certificate.

Depending on your scale and use case, it doesn't take much effort to stand up an external CA such as Microsoft Server CA or even XCA, and then create a small hierarchy of Root CA and Issuing CA 1 and Issuing CA 2. You can make a Root CA cert with openssl and then create the Issuing CA 1 and 2 with openssl. Install Issung CA 1 and CA 2 on two Windows Servers and you have a redundant internal PKI. 

 In my above scenario of Issuing CA 1 and 2, I use those CAs to create the ISE EAP System Cert, as well as all the client EAP supplicants (EAP-TLS clients). In ISE you install Root CA and Issuing CA 1/2 in the Trusted Certificates store. The clients would have Root CA and Issuing CA1 and CA2 installed in their trusted certs store. The client can be issued a certificate from either CA1 or CA2.

For a small lab, I use a single XCA instance for everything and it's perfect (and free) for this purpose. I don't encourage the use of the ISE internal CA - but I would like to hear your opinion of why and how you use it. As a golden rule, I never use ISE Admin self-signed or EAP System Cert self-signed.  It's a pointless exercise as far as X.509 certificate usage goes, unless you want to spin up a quick lab in 5 minutes. But in production it's nonsense.

Go to solution
drr
Level 1
Level 1
In response to Arne Bier

‎03-29-2025 02:55 AM

Thanks for the detailed answer Arne.

The reason is that in this case, ISE servs several diffrent domains and CA issuers so we couldnt issue a certificate from a specific CA. However, we did setup a MS CA and issued a cert to the nodes as it was the only right option

Thanks again!

0 Helpful
Customers Also Viewed These Support Documents