Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
691
Views
0
Helpful
4
Replies

ISE CA Certificates

alberx
Level 1
Level 1

‎05-24-2017 08:12 AM - edited ‎03-11-2019 12:44 AM

I´m using ISE 2.1 as CA for BYOD and deploying user certificates to devices. Everything works fine in the provisioning and EAP authentication.

Taking prrofit of the ISE CA I would like to use it for other platforms, I mean servers, proxies.... I would like to know if it is possible to sing certificates for other subordinates root CA´s or servers.

I also exported root CA certificates and private keys by CLI, trying to import them to another CA server but the file is encrypted, of course I know the password, but it is a file with no format.

Does anyone knows if it is possible to use ISE CA as an "standard " PKI CA server?

Thanks.

Labels:
0 Helpful
4 Replies 4

Bernardino Tellez
Level 1
Level 1

‎05-24-2017 01:43 PM

Technically you can use ISE as a CA. However, this is not recommended because most likely it will not scale.

What is not clear to me is why you are trying to export the root certificate and private key and import it to another CA. Can you add more details?

@berna_tllz

0 Helpful

alberx
Level 1
Level 1
In response to Bernardino Tellez

‎05-25-2017 01:37 AM

Hi Bernardino.

I want to use ISE root certificate ( or to sign a subordinate Root certificate) for a proxy service and intercept SSL.

As my client endpoints already have this root certificate installed via the BYOD provision process I would like to take profit and avoid the necessity to distribute another certificate to my clients. Much of them are private devices and I can not control them.

Thanks.

0 Helpful

Bernardino Tellez
Level 1
Level 1
In response to alberx

‎05-25-2017 07:25 AM

What you can do is to deploy a Root CA (if you don't have it yet) and make the PAN a subordinate of that CA. In that way, all the endpoint certificates will trust the Root certificate. In that scenario, you can use your Root CA to sign the proxy's certificate without trust issues from the BYOD clients. This will also help you with any other service that requires a certificate.

The downside is that you will need to redeploy the BYOD certificates. You can read about this in the following link:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_0111.html#task_E458E69FA39941BBAA9799AAD7FDC644

 Twitter: @berna_tllz

0 Helpful

alberx
Level 1
Level 1
In response to Bernardino Tellez

‎05-25-2017 07:46 AM

Yes, I already knew this.

But my client still does not have PKI infrastructure and I don´t want to create it for them.

Thanks anyway.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents