Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
211
Views
1
Helpful
2
Replies

ISE pxGrid client/server certificate creation and renewal

Go to solution
JaseNL
Level 1
Level 1

‎07-15-2025 04:48 AM

I am setting up a number of servers as pxGrid clients and I have a couple of questions about what's possible and what's best practice.

1. Is it possible to generate a client/server certificate using a private key generated locally on the server?

2. All the documentation I've seen up till now describes renewing the client/server certificate from the GUI. Are there any facilities for automating this?

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎07-15-2025 03:08 PM

1. If you're talking about a private key generated on an external server, then yes. You can generate a private key and CSR on an external server, have it signed by your CA (using a template with both the Client and Server Auth EKUs), then import the key and signed certificate into ISE for the pxGrid usage.
On ISE directly, you can only generate the CSR (which generates the private key stored internally). Only after binding the signed certificate to the CSR in ISE are you able to export the private key (with the certificate).

2. Yes, there are APIs and IaC tools (Ansible, Terraform) for performing the same Certificate operations as in the GUI.
https://developer.cisco.com/docs/identity-services-engine/latest/certificate-openapi/

 

View solution in original post

2 Replies 2

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎07-15-2025 03:08 PM

1. If you're talking about a private key generated on an external server, then yes. You can generate a private key and CSR on an external server, have it signed by your CA (using a template with both the Client and Server Auth EKUs), then import the key and signed certificate into ISE for the pxGrid usage.
On ISE directly, you can only generate the CSR (which generates the private key stored internally). Only after binding the signed certificate to the CSR in ISE are you able to export the private key (with the certificate).

2. Yes, there are APIs and IaC tools (Ansible, Terraform) for performing the same Certificate operations as in the GUI.
https://developer.cisco.com/docs/identity-services-engine/latest/certificate-openapi/

 

Go to solution
JaseNL
Level 1
Level 1
In response to Greg Gibbs

‎07-15-2025 03:57 PM

Thanks, that's clear.

0 Helpful
Customers Also Viewed These Support Documents