Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1584
Views
10
Helpful
5
Replies

【ISE】Certificate Download Format in Certificate Provisioning

Go to solution
Lucas Woo
Level 1
Level 1

‎04-26-2022 03:58 AM

Hello,

As a title, in Certificate Provisioning there are four types of Certificate Download Format, but I don`t know which format I have to select.

I just want to generate the certification and import it into Client PC for EAP-TLS communication.

So, What is the best practice in this case.


Thank you.

 

ise_certpro.jpg

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to Lucas Woo

‎04-26-2022 06:24 AM

PKCS12 with chain is likely what you need. But be aware that all that you do here can have security-consequences. If you don't know what you do, better ask the company that installed the ISE for support.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎04-26-2022 04:09 AM - edited ‎04-26-2022 04:13 AM

@Lucas Woo you wouldn't use an ISE provisioned certificate for EAP-TLS authentication of client devices. Most organisations would use an Internal CA such as a Windows Cerificate Authority to issue certificates to client computers and users.

 

The ISE certificate provisioning is generally used for BYOD or pxGrid certificates.

 

Here some guides

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html

https://community.cisco.com/t5/security-documents/how-to-implement-digital-certificates-in-ise/ta-p/3630897

https://integratingit.wordpress.com/2022/04/24/ise-certificate-authentication/

 

 

Go to solution
Karsten Iwen
VIP
VIP

‎04-26-2022 04:17 AM

As Rob mentioned, this is typically done through other means. But if you want to use this certificate for devices that can't be enrolled this way, you can use the Cert provisioning portal. The format depends on the device on which you want to import the cert. The differences are:

  • PKCS12: You have on file that includes the cert, the key and optionally (but typically needed) the intermediate certs. This is used if the Client accepts only one file for all.
  • PEM/PKCS8: The key and certs are in separate files. This is used if the client has separate options to import the certs and keys.

Go to solution
Lucas Woo
Level 1
Level 1
In response to Karsten Iwen

‎04-26-2022 05:47 AM

@Karsten Iwen 
Thank you for your reply and detail, but I`m poor at this field and don`t know well. 


Generally, what Certificate Download Format is commonly used for ? Most clients are Windows OS and Mac OS users. 
In other words, what is recommend format when importing into Windows OS and Mac OS ?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Lucas Woo

‎04-26-2022 06:24 AM

PKCS12 with chain is likely what you need. But be aware that all that you do here can have security-consequences. If you don't know what you do, better ask the company that installed the ISE for support.

0 Helpful

Go to solution
Lucas Woo
Level 1
Level 1
In response to Karsten Iwen

‎04-27-2022 05:38 PM

@Karsten Iwen 

As you mentioned, PKCS12 was suitable in this case because I need import certificate with key.

Thank you for your help.

0 Helpful
Customers Also Viewed These Support Documents