Solved: How to sign EAP Authentication CSR

SERS-techsupport · ‎03-26-2025

In the past I have used multi-use CSR's for Admin and EAP authentication. I am now going to use individual CSR's for Admin and EAP authentication for renewal. I have the admin CSR signed, but what options on the CA do I use to sign the EAP Authentication CSR? When they were combined I think I just used webserver and then everything else was default.

SERS-techsupport · ‎03-26-2025

Are we feeling pretty good about this? The linked document just glosses over the signing process in step 6. as "Submit it to your CA for signature" and then moves directly to installing the signed certificate back into ISE.

View solution in original post

SERS-techsupport · ‎03-26-2025

I just made a case for this.

View solution in original post

Rob Ingram · ‎03-26-2025

@SERS-techsupport you should be fine using the same CA template to sign the EAP certificate that is used to sign the Admin certificate.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217191-configuration-guide-to-certificate-renew.html

SERS-techsupport · ‎03-26-2025

Are we feeling pretty good about this? The linked document just glosses over the signing process in step 6. as "Submit it to your CA for signature" and then moves directly to installing the signed certificate back into ISE.

SERS-techsupport · ‎03-26-2025

I just made a case for this.

Rob Ingram · ‎03-26-2025

@SERS-techsupport yes, if using Windows Certificate Authority you can use the "Web Server" certificate template for the EAP certificate, same as you can use for Admin certificate. Example.

Cisco would state whether specific certificate attributes are required. The only ISE certificate that requires specific certificate attributes (therefore not the Web Server template) is the pxGrid certificate.