Solved: Issuing device cert to ISE via external SCEP server

carolroger_b · ‎09-16-2019

I am trying to have ISE ( v2.4 ) auto-enroll itself via SCEP to receive device certs from an external SCEP server ( LINUX ).

however i am not seeing the 'crypto pki trustpoint' command on the ISE server via which i am to configure / request for cert via the SCEP server. the SCEP server is updated under the external CA settings fields and the associated CA certs are imported into the Trusted Certificates section.

what am i missing ?

gs-cis-pe11/admin# show crypto pki certificates
^
% invalid command detected at '^' marker.

Jason Kunst · ‎09-17-2019

ISE is not able to use SCEP to obtain a certificate for itself.

View solution in original post

Mohammed al Baqari · ‎09-16-2019

ISE isn't an ASA or Router to run these commands. Follow ISE document below.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/116068-configure-product-00.html#anc17

carolroger_b · ‎09-17-2019

Thank you Mohammed.

the question is more on having ISE receive it's device certificate ( right now it has only a self signed cert ) with a non-MS SCEP Server talking to a CA like Symantec , AppViewX.

The SCEP Profile is configured with the Non-MS SCEP server URL and connectivity is established.

the certificates have been imported to the truststore certificate inventory and the trust is established.

what i am looking for is how can i tell ISE to enroll itself for SCEP to receive it's device certificate once it expires or needs to be renewed ?

Jason Kunst · ‎09-17-2019

ISE is not able to use SCEP to obtain a certificate for itself.