Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


How do I find which Certificate is being used in ISE for a Cisco IP Phone using CUCM Certificate?


How do I find out which certificate a Cisco IP Phone is using to authenticate onto the network using Cisco ISE?

Our current CAPF certificate issued by Cisco Call Manager is about to expire. It has been added to our Cisco ISE certificate store and has been used in the past to authenticate Cisco IP phones onto our network.

We have generated a new certificate in Call Manager and imported it into ISE. We have also pushed this same cert out to a Cisco IP phone as a test. After reloading the phone it authenticated itself onto the network without any problems.

I still need to verify that the authentication happened because of the new certificate.

I would think that there would be a reference somewhere in ISE that would match up with a reference in the certificate.

I can't seem to find anything that matches up.

Does anybody have any ideas on this?

Cisco Employee

I haven't worked on UC

I haven't worked on UC systems in a while so I have a question: What options are you given when you are generating the new certificates for the endpoints? More specifically do you have the options to:

- Name the certificate template

- Change/alter username

- Etc (any other options)

Thank you for rating helpful posts!




I have had time to research this. To find out the authentication method for a Cisco IP phone in ISE you need to click on the 'Details' link for that devices authentication. The new window will open. Look into the 'Authentication Details' portion and make note of any reference to a CA authority. If this reference exists then the IP phone was authenticated using a certificate.

Also, If an expired certificate was in place on this phone the only way to view this expired certificate is to connect to the phone using a web browser. To do this the phone must be 'web enabled' in Call Manager. Once you have accessed the phone via web browser then you can click on the security link on the right side of the url address bar. This will bring up the certificate and you can make the comparison at that point.