Try this out:

dal · ‎01-21-2016

Hi.

I just found out about Let's Encrypt (https://letsencrypt.org/), and it sounds fantastic.

However, it seems to be best suited for webservers running on normal linux distros or IIS servers, and not on "hardened" linux versions like ISE or Prime are running.

But I noticed that Cisco is one of the major sponsors of the project, so does anyone know if there are concrete plans from Cisco to provide support for their own platforms, like ACS, ISE, Prime, ASA, etc?

As I understand it, Let's Encrypt is module based, so I'm hoping to see a Cisco module, preferrably by Cisco themselves.

But there is also a possibility to sign Certificate Signing Requests, but I haven't been able to make it for ISE. Yet.

Marvin Rhoads · ‎01-21-2016

My colleague wrestled with Let Encrypt a bit. He has been thus far unsuccessful at getting it to issue a certificate that we can use on an ASA.

The main problem is that you need to have the ability to run openssl on the server and it needs to have a publicly resolvable FQDN. ISE and ASAs can't do the former and the latter constraint is not the case usually for an internal appliance like ISE or Prime Infrastructure.

We were trying to work around by standing up an internal Linux server but still no dice - may have been partly our unfamiliarity with the tools but it was way harder than it has to be if they expect any significant set of users.

Also, I believe these certificates are only valid for 90 days so you need to repeat the process with that periodicity or less - ugh.

Our conclusion (for now) was that it sounds like a great idea but isn't quite ready for the uses cases we'd like to solve as network security engineers. If we were running public web servers and had some automation and orchestration tools in place, it would probably be a much more attractive solution right now.

jan.nielsen · ‎01-22-2016

Let's encrypt is definately not intended for ASA's and other networking devices, i think the primary goal is to get end user traffic to/from internet websites encrypted. For that it is actually quite easy, running apache or really any webserver where you have control over the webserver, takes a few minutes, and then you have a cert, renewal is also quite simple.

dal · ‎02-04-2016

Let's hope Cisco creates modules built into ISE, ASA etc. for this.

Since they are listed as one of the major sponors, it isn't unthinkable?

Marvin Rhoads · ‎02-04-2016

Worse - inconceivable!

(I couldn't resist.)

ADeisinger · ‎06-21-2016

We could also hope for support for Wireless Controller web portal support as well. That's a certificate that I have to re-load every few years or so that I would gladly have automated.

HumanTorch · ‎08-07-2017

Try this out:

https://github.com/chrismarget/certbot-asa

It's a certbot plugin that's installed on a separate light weight linux VM. It communicates to the ASA via APIs, pulls the certs from Lets Encrypt (via the ACME protocol) and installs it on all the ASAs in the network.

Haven't tried it but looks promising once set up right.

You can also go the manual route, and easy web version (if you don't like noodling with linux): zeroSSL.com

The hope/dream is that Cisco will implement the ACME protocol in all their devices soon, as everything has a web interface these days, how many certs is a person supposed to buy, install, maintain!!!!

It will however KILL the business of all the certificate providers; Thawte, GoDaddy, VeriSign, etc.

Cisco ISE / Prime and certificates from Let's Encrypt?