cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
512
Views
0
Helpful
3
Replies
Highlighted
Engager

ISE SCEP URL to get root CA cert

Hi Experts,

I am trying to configure ISE deployment to provide a PKI service, so that routers can enrol to get their own signed certs. I can't find any documentation on this.

ISE PAN is root CA, and ISE PSN is sub CA. I need an IOS router to be able to pull the root CA from the PAN or PSN, and then enrol using SCEP. Then it should also be able to do a CRL or check validity via OCSP.

If there is another way of doing this, I'm open to it, but would like to know if at all possible on ISE.

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hello Bilal-

Hello Bilal-

Just to make sure I understand your requirements: You want to use ISE's internal PKI to automatically issue certificates to your IOS Routers via SCEP?

If Yes, then the answer is No :) You can manually generate a CSR and have ISE's CA sign it and then manually install it on the routers. The automatic process for certificate on-boarding is only supported for:

- Windows

- Android

- iOS

- OSX

- ChromeOS

I hope this helps!

Thank you for rating helpful posts!

3 REPLIES 3
Cisco Employee

Hello Bilal-

Hello Bilal-

Just to make sure I understand your requirements: You want to use ISE's internal PKI to automatically issue certificates to your IOS Routers via SCEP?

If Yes, then the answer is No :) You can manually generate a CSR and have ISE's CA sign it and then manually install it on the routers. The automatic process for certificate on-boarding is only supported for:

- Windows

- Android

- iOS

- OSX

- ChromeOS

I hope this helps!

Thank you for rating helpful posts!

Engager

Thats a shame because i quite

Thats a shame because i quite liked the idea of having ISE being the PKI and only point of trust.

Have it working now with MS 2012 datacenter which was my last resort.

Thank you Neno.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
Cisco Employee

Yeah, Cisco's stance is that

Yeah, Cisco's stance is that the internal PKI is for BYOD and not to replace corporate PKI. However, I agree with you that it would be nice to be able to replace a Windows solution as it is easier to work with and the GUI is much nicer. Maybe in the future :)