cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
491
Views
3
Helpful
6
Replies

ISE Internal CA pxGrid template with extended validity period

Arne Bier
VIP
VIP

Hello,

During the ISE integration with DNAC, ISE used its internal CA to generate a certificate for DNAC.

I assumed that the default template called "pxGrid_Certificate_Template" would be used. This template creates certs with a validity period of 730 days (2 years).  Two years seems a bit too short - I want to see how long I can stretch the validity. Before anyone starts a fight with me about 1 year certs etc ... don't!  *smiley face*

ArneBier_0-1706684258757.png

I modified the default template and set it to 900 days. However, during DNAC integration, ISE still generates a 730 day certificate (I checked each time in "Issued Certificates".  I can't find where in DNAC these certificates are used. Anyone know?

I have tried disabling and re-enabling Internal CA. But it doesn't help. Does it use this template at all?  I edited the"CA_SERVICE_Certificate_Template" but it doesn't seem to use that one either. 

Do I have to reboot a node, or is this all hard-coded?

thanks in advance.

1 Accepted Solution

Accepted Solutions

Hi @Arne Bier , just a few additional comments for clarity...

1. The discovery phase is simply DNAC using the API to discover all of the ISE nodes and personas in the cluster. This API and process would be no different regardless of whether pxGrid integration was enabled or not; hence the log details you highlighted.

2. This is the setting I was referring to (not ticked as this is a shared lab environment).

Screenshot 2024-02-01 at 1.45.25 pm.png

Enabling this setting will use the DNAC system certificate for the pxGrid connection, and you will not see DNAC enroll a certificate with the Internal ISE CA.
This is useful when you want to only leverage certificates signed by your enterprise CA (like AD CS) rather than having another point to manage certificates (like the ISE Internal CA) and is a common preference and approach for most customers I've worked with to design/deploy an SDA/ISE environment.

As for the issue you're seeing with the template, I've never attempted to change that lifetime so it could be a bug that nobody has found yet

View solution in original post

6 Replies 6

I usually create the certs for pxGrid integration out of the box and then import it into both ISE and DNA-C. However, if you want to rely on ISE internal CA then I think you can check the issued certificate in ISE in the "Issued Certificates" tab and see which template generated it. If it happens to be the same template that you edited then probably I would think about it as a software bug that is causing this behaviour.

Not sure what you mean by "I usually create the certs for pxGrid integration out of the box and then import it into both ISE and DNA-C" - if you tick the box in DNAC to use pxGrid, then DNAC will connect to ISE PAN, and it will cause ISE to generate a certificate using its internal CA and the pxGrid Template. You have no control over this (other than the option of NOT integrating with pxGrid - this is a valid option, but you lose some cool features - however, DNAC will be integrated with ISE with basic functionality)

The problem I have was resolved with an application stop and start of the Primary PAN. Not a big deal, but I would have thought this could be handled more elegantly in the GUI.

Now when I integrate DNAC with that ISE, and my ISE pxGrid_Certificate_Template has a Valid Period of 3652 days, then ISE generates a cert that has the validity for 3652 - n days, where n is the number of days remaining of the ISE Root CA (which is valid for 10 years).

Managing certificate lifecycles is an industry problem and if there is no easy way for certificates to auto-renew themselves, and in such a way that doesn't cause service interruptions, then users will find pragmatic solutions to simplify their lives, by creating certs with very long lifespans.  For internal systems I personally don't have a problem with this.  If there is a hacker in the midst of your organisation that is playing MITM tricks, then you have bigger problems.  And whether it's a 1 year cert or a 5 year cert, makes no difference to the hacker. But a 1 year cert is a major pain for any organisation that has to constantly renew them, which means extra work, and service interruptions. Sure, your design should be redundant. But 1 year is really an arbitrary value that makes people feel more secure. But it's just a perception, and not based in any fact.

@Arne Bier , there is an option in DNAC/Catalyst Center (since 2.2.3.x, I think) that allows you to use the system certificate installed for pxGrid as well. This allows you to use internal CA-signed certs for the pxGrid connection for both ISE and DNAC/CC rather than certs signed by the ISE Internal CA.

From the Admin Guide:

Screenshot 2024-02-01 at 12.30.08 pm.png

Thanks Greg. For customers who don't have ISE Advantage licensing (and hence, no pxGrid enabled on their ISE), you would not tick the box "Connect to pxGrid".

ArneBier_0-1706752318495.png

 


And you're right, then the ISE internal CA is no longer generating any certs during DNAC integration.

But during this type of integration DNAC still mentions that it's discovering pxGrid (for what reason?) - but there is no pxGrid integration.

ArneBier_1-1706752511788.png

 

 

Anyway, since DNAC only supports one ISE deployment (integrated as Type ISE, not as Type AAA) and if the customer has Advantage Licensing, then it's a no-brainer to integrate it with pxGrid, because of all the Analytics and extra telemetry that ISE cna provide DNAC. 

And now that I know how to manipulate the pxGrid cert template in ISE, I can generate long-lived certs for this integration.

Hi @Arne Bier , just a few additional comments for clarity...

1. The discovery phase is simply DNAC using the API to discover all of the ISE nodes and personas in the cluster. This API and process would be no different regardless of whether pxGrid integration was enabled or not; hence the log details you highlighted.

2. This is the setting I was referring to (not ticked as this is a shared lab environment).

Screenshot 2024-02-01 at 1.45.25 pm.png

Enabling this setting will use the DNAC system certificate for the pxGrid connection, and you will not see DNAC enroll a certificate with the Internal ISE CA.
This is useful when you want to only leverage certificates signed by your enterprise CA (like AD CS) rather than having another point to manage certificates (like the ISE Internal CA) and is a common preference and approach for most customers I've worked with to design/deploy an SDA/ISE environment.

As for the issue you're seeing with the template, I've never attempted to change that lifetime so it could be a bug that nobody has found yet

I mean to say that usually I generate an external identity cert to DNA-C from the same internal PKI with 5 years lifetime, and then I import it into DNA-C as a system certificate if I remember correctly how they call it in DNA-C. Once that is done, I go through the integration similar to what you can see in this guide, and that would do the trick because now DNA-C and ISE can trust each other as both of them have certificates from the same issuer.

How To Cisco DNA Center ISE Integration - Cisco Community