Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1506
Views
0
Helpful
3
Replies

ISE SCEP URL to get root CA cert

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎11-24-2016 02:18 PM - edited ‎03-11-2019 12:15 AM

Hi Experts,

I am trying to configure ISE deployment to provide a PKI service, so that routers can enrol to get their own signed certs. I can't find any documentation on this.

ISE PAN is root CA, and ISE PSN is sub CA. I need an IOS router to be able to pull the root CA from the PAN or PSN, and then enrol using SCEP. Then it should also be able to do a CRL or check validity via OCSP.

If there is another way of doing this, I'm open to it, but would like to know if at all possible on ISE.

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-02-2016 03:12 PM

Hello Bilal-

Just to make sure I understand your requirements: You want to use ISE's internal PKI to automatically issue certificates to your IOS Routers via SCEP?

If Yes, then the answer is No :) You can manually generate a CSR and have ISE's CA sign it and then manually install it on the routers. The automatic process for certificate on-boarding is only supported for:

- Windows

- Android

- iOS

- OSX

- ChromeOS

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-02-2016 03:12 PM

Hello Bilal-

Just to make sure I understand your requirements: You want to use ISE's internal PKI to automatically issue certificates to your IOS Routers via SCEP?

If Yes, then the answer is No :) You can manually generate a CSR and have ISE's CA sign it and then manually install it on the routers. The automatic process for certificate on-boarding is only supported for:

- Windows

- Android

- iOS

- OSX

- ChromeOS

I hope this helps!

Thank you for rating helpful posts!

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to nspasov

‎12-02-2016 11:45 PM

Thats a shame because i quite liked the idea of having ISE being the PKI and only point of trust.

Have it working now with MS 2012 datacenter which was my last resort.

Thank you Neno.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Bilal Nawaz

‎12-03-2016 12:34 PM

Yeah, Cisco's stance is that the internal PKI is for BYOD and not to replace corporate PKI. However, I agree with you that it would be nice to be able to replace a Windows solution as it is easier to work with and the GUI is much nicer. Maybe in the future :)

0 Helpful
Customers Also Viewed These Support Documents