Solved: Is there a limit to how many CA Server Cert's can be used?

algoldst · ‎11-16-2016

Here is the scenario:

50 different AD domains.

We know that ISE can support up to 50 AD domains however this is not the issue we are concerned about.

What concerns us is that each one of those 50 domains has a separate Microsoft CA / PKI environment and the client wants to perform certificate based authentication for all endpoints from all of the 50 AD domains.

I've skimmed through the 'Managing Certificates' chapter of: http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21.pdf

There does not seem to be any indication as to a limit of certificates, so then does the limit fall in the number of AD Forest that are supported (50)? You just need to pull the cert onto ISE from each CA in each forest?

Let's make the assumption whether domains or forest that there is NO two way trust.

kthiruve · ‎11-17-2016

Hi Alex,

There is no validated limit to the number of CA. As long as the CA root cert and/or intermediate certificate in the Trusted certificate section for the right set of services such as EAP, Admin etc, the client certificate will be validated. The AD domains ISE support can be in a single or multiple forests.

For ISE performance metrics, please see ISE Performance & Scale community page.

Thanks

Krishnan

View solution in original post

kthiruve · ‎11-17-2016

Hi Alex,

There is no validated limit to the number of CA. As long as the CA root cert and/or intermediate certificate in the Trusted certificate section for the right set of services such as EAP, Admin etc, the client certificate will be validated. The AD domains ISE support can be in a single or multiple forests.

For ISE performance metrics, please see ISE Performance & Scale community page.

Thanks

Krishnan

Craig Hyps · ‎11-17-2016

If asking the max # of Trusted Certs, here are the numbers:

Maximum # User Certificates 1M

Maximum # Server Certificates 1000

Maximum # Trusted Certificates 1000

/Craig