Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
744
Views
2
Helpful
3
Replies

How can I automate ISE certificate store sync with CUCM certificate store?

Nadav
Level 7
Level 7

‎06-08-2018 07:55 AM

Hi everyone,

As far as I can tell, there is no out of box support for syncing the two certificate stores.

I'm hoping this will be added in a future release, since it's an obvious ecosystem caveat.

Is there a REST based method to extract certificates from CUCM store and push them into ISE by REST? I'd imagine the CAPF and CAPF-Trust certs will suffice for a Mixed Mode CUCM deployment.

Thanks!

3 Replies 3

Craig Hyps
Level 10
Level 10

‎06-08-2018 10:52 AM

There is currently no API for pushing/pulling certs from ISE.  Cannot speak for CUCM.

hslai
Cisco Employee
Cisco Employee

‎06-08-2018 04:32 PM

If using the certificates for EAP-TLS, there is no need to sync or import individual end-entity certificates to ISE. Instead, ISE needs only the root CA and/or any of intermediate CA certificates imported and trusted for client authentication.

0 Helpful

Nadav
Level 7
Level 7
In response to hslai

‎06-08-2018 11:25 PM

Hi,

Keep in mind that the CA for signing phones (CAPF) is self signed by the CUCM cluster. This means that its public cert needs to be uploaded into ISE in order for phones to be able to authenticate for 802.1x with ISE.

Yes, it is possible to use your own CA as a CAPF but then provisioning phones becomes way too cumbersome.

0 Helpful
Customers Also Viewed These Support Documents