cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
211
Views
1
Helpful
2
Replies

ISE pxGrid client/server certificate creation and renewal

JaseNL
Level 1
Level 1

I am setting up a number of servers as pxGrid clients and I have a couple of questions about what's possible and what's best practice.

1. Is it possible to generate a client/server certificate using a private key generated locally on the server?

2. All the documentation I've seen up till now describes renewing the client/server certificate from the GUI. Are there any facilities for automating this?

Thanks

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

1. If you're talking about a private key generated on an external server, then yes. You can generate a private key and CSR on an external server, have it signed by your CA (using a template with both the Client and Server Auth EKUs), then import the key and signed certificate into ISE for the pxGrid usage.
On ISE directly, you can only generate the CSR (which generates the private key stored internally). Only after binding the signed certificate to the CSR in ISE are you able to export the private key (with the certificate).

2. Yes, there are APIs and IaC tools (Ansible, Terraform) for performing the same Certificate operations as in the GUI.
https://developer.cisco.com/docs/identity-services-engine/latest/certificate-openapi/

 

View solution in original post

2 Replies 2

Greg Gibbs
Cisco Employee
Cisco Employee

1. If you're talking about a private key generated on an external server, then yes. You can generate a private key and CSR on an external server, have it signed by your CA (using a template with both the Client and Server Auth EKUs), then import the key and signed certificate into ISE for the pxGrid usage.
On ISE directly, you can only generate the CSR (which generates the private key stored internally). Only after binding the signed certificate to the CSR in ISE are you able to export the private key (with the certificate).

2. Yes, there are APIs and IaC tools (Ansible, Terraform) for performing the same Certificate operations as in the GUI.
https://developer.cisco.com/docs/identity-services-engine/latest/certificate-openapi/

 

Thanks, that's clear.