I just found out about Let's Encrypt (https://letsencrypt.org/), and it sounds fantastic.
However, it seems to be best suited for webservers running on normal linux distros or IIS servers, and not on "hardened" linux versions like ISE or Prime are running.
But I noticed that Cisco is one of the major sponsors of the project, so does anyone know if there are concrete plans from Cisco to provide support for their own platforms, like ACS, ISE, Prime, ASA, etc?
As I understand it, Let's Encrypt is module based, so I'm hoping to see a Cisco module, preferrably by Cisco themselves.
But there is also a possibility to sign Certificate Signing Requests, but I haven't been able to make it for ISE. Yet.
My colleague wrestled with Let Encrypt a bit. He has been thus far unsuccessful at getting it to issue a certificate that we can use on an ASA.
The main problem is that you need to have the ability to run openssl on the server and it needs to have a publicly resolvable FQDN. ISE and ASAs can't do the former and the latter constraint is not the case usually for an internal appliance like ISE or Prime Infrastructure.
We were trying to work around by standing up an internal Linux server but still no dice - may have been partly our unfamiliarity with the tools but it was way harder than it has to be if they expect any significant set of users.
Also, I believe these certificates are only valid for 90 days so you need to repeat the process with that periodicity or less - ugh.
Our conclusion (for now) was that it sounds like a great idea but isn't quite ready for the uses cases we'd like to solve as network security engineers. If we were running public web servers and had some automation and orchestration tools in place, it would probably be a much more attractive solution right now.
Let's encrypt is definately not intended for ASA's and other networking devices, i think the primary goal is to get end user traffic to/from internet websites encrypted. For that it is actually quite easy, running apache or really any webserver where you have control over the webserver, takes a few minutes, and then you have a cert, renewal is also quite simple.
We could also hope for support for Wireless Controller web portal support as well. That's a certificate that I have to re-load every few years or so that I would gladly have automated.
Try this out:
It's a certbot plugin that's installed on a separate light weight linux VM. It communicates to the ASA via APIs, pulls the certs from Lets Encrypt (via the ACME protocol) and installs it on all the ASAs in the network.
Haven't tried it but looks promising once set up right.
You can also go the manual route, and easy web version (if you don't like noodling with linux): zeroSSL.com
The hope/dream is that Cisco will implement the ACME protocol in all their devices soon, as everything has a web interface these days, how many certs is a person supposed to buy, install, maintain!!!!
It will however KILL the business of all the certificate providers; Thawte, GoDaddy, VeriSign, etc.