03-23-2018 06:34 AM
Hello,
I have a customer that is currently looking at redesigning their current PKI. They wish to use the Internal CA feature as an intermediary of a external root for the provisioning point for all of their corporate assets including MS devices. This would not be for a BYOD function but the corporate authentication.
This is not something I have seen in the past or advised outside of a BYOD/Pxgrid use- Typically and MS CA or 3rd Party function. So I have some questions if I may:
Endpoint count is in the realm of 100K
Thanks in advance!
Dave
Solved! Go to Solution.
03-25-2018 04:14 PM
Is this a supported design for the Internal CA?
Are there any scale issues or limits?
If this is supported, what are the major consideration or limitations.
- I assume a lack of auto enrollment and user interaction is required in general?.
~Hari
03-23-2018 06:51 AM
I don’t quite understand what they want to do?
Are you trying to do certificate provisioning thru ISE acting as the SCEP server? But outside of the BYOD flow?
If that’s the case it’s not something tested therefore supported and would be completely up to customer to investigate
03-23-2018 10:09 AM
I don't see why they would want to go through the pain of doing this. ISE would not support autoenrollment for MS devices. They would all have to through the client provisioning portal to get a cert. The ISE internal CA should be used for one off provisioning in my opinions not as an enterprise issuing server.
03-25-2018 04:14 PM
Is this a supported design for the Internal CA?
Are there any scale issues or limits?
If this is supported, what are the major consideration or limitations.
- I assume a lack of auto enrollment and user interaction is required in general?.
~Hari
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide