04-18-2023 11:19 PM
Hello,
we've a Deployment of 2 ISE Version 3.1 P6 and a AD-PKI with Root- Intermediate- und SubCA's
now we want the ISE to act as SubCA of the IntermediateCA for SCEP to enroll ClientCerts for Linux-Clients and maybe other Devices, this should be possible, right?
I've read a lot of Docs, eg: https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_basic_setup.html#concept_C0EDF372974E459CA8E4A14389853525
but I can't find Details, how to integrate the ISE in the PKI.
I've got Root, Intermediate SubCA under trusted Certificates, when I try to import these Certs under "Cert Authority -> Certificate Authority Certificates" I get an Error, they are already under Trusted Certs.
I guess, the PKI-Admins have to accept the ISE as CA, right?
Any Help appreciated
Karl
12-27-2023 01:36 PM - edited 12-27-2023 01:40 PM
All below is from this link:
Cisco ISE as an Intermediate CA
Configure Cisco ISE Root CA as Subordinate CA of an External PKI
If you want the root CA on the primary PAN to act as a subordinate CA of an external PKI, generate an ISE intermediate CA certificate signing request, send it to the external CA, obtain the root and CA-signed certificates, import the root CA certificate in to the Trusted Certificates Store, and bind the CA-signed certificate to the CSR. In this case, the external CA is the root CA, the Primary PAN is a subordinate CA of the external CA, and the PSNs are subordinate CAs of the primary PAN.
Procedure
Step 1: Choose Administration > System > Certificates > Certificate Signing Requests.
Step 2: Click Generate Certificate Signing Requests (CSR).
Step 3: Choose ISE Intermediate CA from the Certificate(s) will be used for drop-down list.
Step 4: Click Generate.
Step 5: Export the CSR, send it to the external CA,you can choose the Subordinate Certification Authority certificate template and obtain the CA-signed certificate.
Step 6: Import the root CA certificate from the external CA in to the Trusted Certificates store.
Step 7: Bind the CA-signed certificate with the CSR.
What to do next :
If you have a secondary PAN in the deployment, obtain a backup of the Cisco ISE CA certificates and keys from the primary PAN and restore it on the secondary PAN. Server and root certificates are then automatically replicated in the secondary PAN. This ensures that the secondary PAN can function as subordinate CA of the external PKI in case of administration node failover.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide