Re: configure Microsoft CA Server for ISE

Mahendervyas35821 · ‎09-30-2021

Hi Experts

I want to Configure Microsoft CA server so i can manage ISE certs using that .

I found below links on how to install certs in ISE but not able to find how to configure CA server.

https://community.cisco.com/t5/security-documents/how-to-implement-digital-certificates-in-ise/ta-p/3630897#toc-hld-1417244287

how to install certs.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216528-configure-microsoft-ca-server-to-publish.html

how to install CA for CRL.

Please let me know if you guys know any links on how to install and configure Microsoft Ca server for ISE cert management.

Rob Ingram · ‎10-01-2021

@Mahendervyas35821

As far as the initial configuration of the Microsoft CA server is concerned there isn't anything special required related to ISE.

You just need the CA installed and configured, you'll require the Trusted Root Certificate deployed to all AD joined computers, this can be done using GPO.

Examples:

https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx

https://www.virtuallyboring.com/setup-microsoft-active-directory-certificate-services-ad-cs/

You will also need to install the Microsoft CA Web Enrollment GUI, to be able to sign CSR (Certificate Signing Requests) from ISE.

You will need to import the CA Root Certificate and import into ISE's Trusted Root Certificate store.

Optional - If you require SCEP or are going to use pxGrid, then you would need to tweak the CA configuration, refer to this post.

http://www.network-node.com/blog/2015/12/24/server-2012-configuration-certificate-templates?rq=ise