Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
627
Views
0
Helpful
0
Replies

Certificate auto-enrollment with a non-Microsoft PKI (using EST or SCEP protocol)

remi.habraken@synetis.com
Level 1
Level 1

‎10-26-2020 07:08 AM

Hello,

We are currently working on a project where we want to deploy certificates to devices in order for them to authenticate.

We will be relying on Cisco's ISE for identity management, using the CAPF service, but we have an external PKI which we want to use (it supports SCEP, EST, CMP, ACME, ...), and on which we want to generate all the certificates.

 

The documentation (https://www.cisco.com/c/en/us/support/docs/security-vpn/certificate-authority-ca/214396-troubleshooting-capf-online-ca.html) mentions several ways to implement enrollment, an in particular using EST protocol, which is recommended by Cisco (https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/public-key-infrastructure-provisioning-with-est.pdf).

 

However, there is no clear mention that all PKIs running SCEP or EST will be compatible, there is only documentation for ADCS

https://www.cisco.com/c/en/us/support/docs/security-vpn/certificate-authority-ca/214396-troubleshooting-capf-online-ca.html

Is it possible to have a confirmation that enrollment will be working as long as EST is supported?

 

Thank you very much in advance,

Regards

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents