Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1250
Views
0
Helpful
1
Replies

ISE 3.1 as Subordinate CA

gaigl
Level 3
Level 3

‎04-18-2023 11:19 PM

Hello,

we've a Deployment of 2 ISE Version 3.1 P6 and a AD-PKI with Root- Intermediate- und SubCA's

now we want the ISE to act as SubCA of the IntermediateCA for SCEP to enroll ClientCerts for Linux-Clients and maybe other Devices, this should be possible, right?

I've read a lot of Docs, eg: https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_basic_setup.html#concept_C0EDF372974E459CA8E4A14389853525

but I can't find Details, how to integrate the ISE in the PKI.

I've got Root, Intermediate SubCA under trusted Certificates, when I try to import these Certs under "Cert Authority -> Certificate Authority Certificates" I get an Error, they are already under Trusted Certs.

I guess, the PKI-Admins have to accept the ISE as CA, right?

Any Help appreciated

Karl

Labels:
0 Helpful
1 Reply 1

ABhamra
Level 1
Level 1

‎12-27-2023 01:36 PM - edited ‎12-27-2023 01:40 PM

All below is from this link:

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_basic_setup.html#concept_C0EDF372974E459CA8E4A14389853525

Cisco ISE as an Intermediate CA

Configure Cisco ISE Root CA as Subordinate CA of an External PKI

If you want the root CA on the primary PAN to act as a subordinate CA of an external PKI, generate an ISE intermediate CA certificate signing request, send it to the external CA, obtain the root and CA-signed certificates, import the root CA certificate in to the Trusted Certificates Store, and bind the CA-signed certificate to the CSR. In this case, the external CA is the root CA, the Primary PAN is a subordinate CA of the external CA, and the PSNs are subordinate CAs of the primary PAN.
Procedure

Step 1: Choose Administration > System > Certificates > Certificate Signing Requests.
Step 2: Click Generate Certificate Signing Requests (CSR).
Step 3: Choose ISE Intermediate CA from the Certificate(s) will be used for drop-down list.
Step 4: Click Generate.
Step 5: Export the CSR, send it to the external CA,you can choose the Subordinate Certification Authority certificate template and obtain the CA-signed certificate.
Step 6: Import the root CA certificate from the external CA in to the Trusted Certificates store.
Step 7: Bind the CA-signed certificate with the CSR.
What to do next :
If you have a secondary PAN in the deployment, obtain a backup of the Cisco ISE CA certificates and keys from the primary PAN and restore it on the secondary PAN. Server and root certificates are then automatically replicated in the secondary PAN. This ensures that the secondary PAN can function as subordinate CA of the external PKI in case of administration node failover.

0 Helpful
Customers Also Viewed These Support Documents