Solved: Re: How do I utilize ECDSA with both External and Internal (BYOD) CAs?

sjury · ‎08-04-2017

Hello team,

I'm trying to setup an ISE deployment that will use ECDSA certificates for wired and wireless machine authentication, as well as ECC keys for Android BYOD devices and RSA keys for Apple IOS BYOD devices. I currently have the external CA ECDSA certificates working with wired and wireless devices. This was made easier with the ability to use ECDSA certs as the system certs (All certificates under Administration->Certificate->Certificate Management->System Certificates are ECDSA SHA384 certificates).

I'm now working on the Internal CA side and trying to narrow down the best practices. I've seen documentation stating that we support EST for ECC keys for BYOD devices. What I have not been able to find is how we setup the internal CA to use ECC keys. I can only generate RSA keys for the internal CA, not ECDSA. Is this something that can be done? I am assuming so as we support EST to provide ECC certificates from ISE to BYOD, but I cannot seem to find any documentation on this.

Also, is there a way to make ISE a subCA of an external CA? I currently have my ISE box using ECDSA certificates from my MS CA box. I'd like to be able to make the Internal CA a SubCA of my MS CA Root. Is this something that is doable?

Thanks in advance!

Shawn Jury

Cisco Fed SE

hslai · ‎08-05-2017

You are correct that ISE internal CA uses only RSA key. ECC keys are not an option currently.

ECC client certificates are supported on certain client OS's only -- Windows 8 or later and Android 4.4 or later. See Table 17 of Client Certificate Requirements for Certificate-Based Authentication

To issue client certificates with ECC keys, select it in the certificate template settings. See Certificate Template Settings

To make ISE internal CA as subCA of an external CA, generate CSR and pick "ISE Intermediate CA" as the option for Certificate(s) will be used for.

View solution in original post

hslai · ‎08-05-2017

You are correct that ISE internal CA uses only RSA key. ECC keys are not an option currently.

ECC client certificates are supported on certain client OS's only -- Windows 8 or later and Android 4.4 or later. See Table 17 of Client Certificate Requirements for Certificate-Based Authentication

To issue client certificates with ECC keys, select it in the certificate template settings. See Certificate Template Settings

To make ISE internal CA as subCA of an external CA, generate CSR and pick "ISE Intermediate CA" as the option for Certificate(s) will be used for.

sjury · ‎08-07-2017

Thanks hslai,

I've setup everything on my internal lab and it looks correct, but I don't have the equipment to verify everything with the ECC and EST process (no Android devices). I'll get my customer to verify and see where we stand.

Thanks,

Shawn

sjury · ‎08-09-2017

Hslai,

You stated "You are correct that ISE internal CA uses only RSA key. ECC keys are not an option currently". I am having a hard time understanding how a CA with RSA keys can issue EC keys to clients. I know my customer is going to ask how this is done and I cannot find anything that explains this. Would you be able to help me understand this so I can explain it to my customer? It just seems counter-intuitive to what I know about CA and Cert types.

Thanks,

Shawn

hslai · ‎08-09-2017

Take a look at cryptography - Does a CA need to have the same type of key as the certificates it is signing? RSA / Elliptic Curve (EC/ECDH/ECDSA) - Information Security Stack Exchange

sjury · ‎08-09-2017

Hslai,

Thank you. I now understand. I was confused as I was expecting "EC" to mean it would be supported for Suite B (RFC6460). The EC we support is ECDHE_RSA, which is not an accepted Cipher Suite in Suite B. It is a fully supported Cipher Suite for ECC TLS according to RFC4492. Thank you for helping me learn something new today

Shawn