cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3253
Views
0
Helpful
8
Replies

ISE 2.3 as intermediate CA und Microsoft Root CA

nw-team01
Level 1
Level 1

Hello,

I am trying to Bind CA Signed Certificate to the CSR generated for intermediate CA.

The root ca is a Microsoft Server 2012R2

ISE is Version 2.3

When binding the certificate, i get the following error:

 

Certificate does not comply with intermediate certification authority template.Unbenannt.PNG

 

 

 

The certficate i am trying to bind, looks fine to me:

 

Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)Unbenannt.PNG

 

 

 

Has anyone encountered this issue before?

I'm guessing something is wrong with our Root ca, but who knows.

 

Any help is appreciated.

 

1 Accepted Solution

Accepted Solutions

Would recommend troubleshoot through TAC.

Also consider do you truly need to add ISE to be part of the PKI? If you’re doing BYOD onboarding using Native supplicant and certificate provisioning then use ISE self contained. It just works out of the box with minor setup ☺

View solution in original post

8 Replies 8

howon
Cisco Employee
Cisco Employee

Suggest looking at ise-psc.log. The log should provide information on why the certificate was rejected.

paul
Level 10
Level 10

I can't see your EKU settings.  Do you have both client and server authentication enabled?  

Yes, i have both client server authentication enabled.

 

I searched the ise-psc.log. I can't find anything conclusive, i've attached the log segment from when attempting to bind the certificate.

 

Try bumping up the ca-service log under Administration -> System -> Logging -> Debug Log Configuration to debug and go through bind process again.

Please see if you are using the right template in the CA to create the certificate.

Here is more information

 

  • ISE Intermediate CA—(Applicable only for the internal CA service when ISE acts as an intermediate CA of an external PKI) Used to generate an intermediate CA certificate on the Primary PAN and subordinate CA certificates on the PSNs. The certificate template on the signing CA is often called a Subordinate Certificate Authority. This template has the following properties:

    • Basic Constraints: Critical, Is a Certificate Authority

    • Key Usage: Certificate Signing, Digital Signature

    • Extended Key Usage: OCSP Signing (1.3.6.1.5.5.7.3.9)

Thanks

Krishnan

 

This ist the only useful message i'm getting from the log file, after setting debug condition:

 

Error occurred while verifying certificates for host: svtg001ise01.tg-cee.net. com.cisco.epm.cert.validator.CertPathVerificationException: Certificate Signature Verification failed

 

I created a Policy.inf file to generate the certificate, please see attached.

As it is a offline root ca, there are no (visible) certificate templates. The only thing i can influence, is the .inf file.

 

I have the root ca certificate imported under trusted certificates.

 

I'm running out of Ideas :-(

Would recommend troubleshoot through TAC.

Also consider do you truly need to add ISE to be part of the PKI? If you’re doing BYOD onboarding using Native supplicant and certificate provisioning then use ISE self contained. It just works out of the box with minor setup ☺

Hi,

 

This was probably already solved for you but if someone else runs into this, make sure to use a SubCa (Subordinate Certification Authority) as the certificate template from Microsoft CA.

 

In my lab this is what the cert has and it works for ISE's intermediate CA:

EKU

Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)
OCSP Signing (1.3.6.1.5.5.7.3.9)

 

Key Usage

Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)

 

The template has Basic Constraint as: "The subject is a certification authority (CA)." Critical extension.