cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1856
Views
10
Helpful
6
Replies
Highlighted
dal Participant
Participant

Cisco ISE / Prime and certificates from Let's Encrypt?

Hi.

I just found out about Let's Encrypt (https://letsencrypt.org/), and it sounds fantastic.

However, it seems to be best suited for webservers running on normal linux distros or IIS servers, and not on "hardened" linux versions like ISE or Prime are running.

But I noticed that Cisco is one of the major sponsors of the project, so does anyone know if there are concrete plans from Cisco to provide support for their own platforms, like ACS, ISE, Prime, ASA, etc?

As I understand it, Let's Encrypt is module based, so I'm hoping to see a Cisco module, preferrably by Cisco themselves.

But there is also a possibility to sign Certificate Signing Requests, but I haven't been able to make it for ISE. Yet.

Everyone's tags (2)
6 REPLIES 6
Highlighted
Hall of Fame Guru

My colleague wrestled with

My colleague wrestled with Let Encrypt a bit. He has been thus far unsuccessful at getting it to issue a certificate that we can use on an ASA.

The main problem is that you need to have the ability to run openssl on the server and it needs to have a publicly resolvable FQDN. ISE and ASAs can't do the former and the latter constraint is not the case usually for an internal appliance like ISE or Prime Infrastructure.

We were trying to work around by standing up an internal Linux server but still no dice - may have been partly our unfamiliarity with the tools but it was way harder than it has to be if they expect any significant set of users. 

Also, I believe these  certificates are only valid for 90 days so you need to repeat the process with that periodicity or less - ugh.

Our conclusion (for now) was that it sounds like a great idea but isn't quite ready for the uses cases we'd like to solve as network security engineers. If we were running public web servers and had some automation and orchestration tools in place, it would probably be a much more attractive solution right now.

Highlighted
Rising star

Let's encrypt is definately

Let's encrypt is definately not intended for ASA's and other networking devices, i think the primary goal is to get end user traffic to/from internet websites encrypted. For that it is actually quite easy, running apache or really any webserver where you have control over the webserver, takes a few minutes, and then you have a cert, renewal is also quite simple.

dal Participant
Participant

Let's hope Cisco creates

Let's hope Cisco creates modules built into ISE, ASA etc. for this.

Since they are listed as one of the major sponors, it isn't unthinkable?

Highlighted
Hall of Fame Guru

Worse - inconceivable!

Worse - inconceivable!

(I couldn't resist.)

Highlighted
Beginner

We could also hope for

We could also hope for support for Wireless Controller web portal support as well.  That's a certificate that I have to re-load every few years or so that I would gladly have automated.

Highlighted
Contributor

Try this out:

Try this out:

https://github.com/chrismarget/certbot-asa

It's a certbot plugin that's installed on a separate light weight linux VM. It communicates to the ASA via APIs, pulls the certs from Lets Encrypt (via the ACME protocol) and installs it on all the ASAs in the network.

Haven't tried it but looks promising once set up right.

You can also go the manual route, and easy web version (if you don't like noodling with linux): zeroSSL.com

The hope/dream is that Cisco will implement the ACME protocol in all their devices soon, as everything has a web interface these days, how many certs is a person supposed to buy, install, maintain!!!!

It will however KILL the business of all the certificate providers; Thawte, GoDaddy, VeriSign, etc.