02-08-2016 08:21 AM
Hi all,
partner is asking if we support "Certificate Policies" with ISE according to RFC 5280:
4.2.1.4. Certificate Policies
The certificate policies extension contains a sequence of one or more
policy information terms, each of which consists of an object
identifier (OID) and optional qualifiers. Optional qualifiers, which
MAY be present, are not expected to change the definition of the
policy. A certificate policy OID MUST NOT appear more than once in a
certificate policies extension.
In an end entity certificate, these policy information terms indicate
the policy under which the certificate has been issued and the
purposes for which the certificate may be used. In a CA certificate,
these policy information terms limit the set of policies for
certification paths that include this certificate. When a CA does
not wish to limit the set of policies for certification paths that
include this certificate, it MAY assert the special policy anyPolicy,
with a value of { 2 5 29 32 0 }.
Thanks in advance
Roland
02-09-2016 03:22 PM
Roland,
I assume you are referring to ISE as a certificate authority (someone issuing & signing certificates for use on endpoints); and not asking about ISE authenticating a certificate who is being sent as a credential for network access.
If yes, you are referring to the ISE as a CA use-case, THEN:
We do support them, but they are hard-coded into our pre-built certificate templates. You cannot pick/choose your own certificate policies. The endpoint certificate will have a policy already there, for an OID specifying an end-entity certificate for client authentication use-case.
The newer pxGrid certificate template coming in ISE 2.1 will have both Client and Server use-cases specified.
ELSEIF you are referring to ISE as a certificate authenticator and validator for network access, THEN
Yes, we support validating the certificate & it is configured with the " Validate Certificate Extensions " option when importing the trusted signer certificate into the Trusted Certificates store in ISE.
-Aaron
02-10-2016 07:15 AM
Hi Aaron,
thanks for the quick response. It's the later one (ISE as cert authenticator). I will ask the partner SE if this is what they want, but I believe they want this to have within the auth policy (e. g. if extension is xyz then permit access, else deny access; for example they want to code a certificate in a way that it only can be allowed for certain SSIDs).
Roland
02-17-2016 12:25 PM
Last I heard about "Certificate Policies" were how it affecting certificates issued by CA -- Creating Certificate Policies and Certificate Practice Statements
ISE supports EKU name and OID as conditions for authorization.
10-26-2021 10:32 AM
i think he is referring to when you generate a CSR on ISE, there is a field called Certificate Policies, a free form text field, we would have expected you to comment on how to format that field.
Prakash
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide