cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco ISE Internal CA

841
Views
10
Helpful
6
Comments
vsurresh
Beginner

Hello.

 

Thanks in advance for any input.

 

I have just spun up a Cisco ISE lab and having some issues with the certificates. 

 

I created a self-signed certificate to be used with EAP and admin. DNS name of ise1.example.local points to the ISE IP address. When I tried to browse the DNS name I get the certificate error which is what I expected. However, the issuer information is blank on the certificate. I expected the ISE CA to sign the certificate. What am I missing here? Why the self-signed certificate is not signed by the internal CA? (Screenshots attached)

 

Regards

6 Comments
Arne Bier
VIP Advisor

Hello @vsurresh 

 

self-signed means that the certificate that you have was signed by itself (and not by another CA). You are getting confused about the internal CA that is available in ISE. Certificates issued from the ISE CA are NOT self-signed - they have been signed by the ISE CA hierarchy (root, node, issuing CA).

If you want a real self-signed cert then create them in ISE as follows:

Administration > System > Certificates > Certificate Management > System Certtificates

and then click on the button 'Generate Self Signed Certificate' - in the next page select the node for which you are doing this (one node at a time) and then the role - Admin, EAP, etc. etc.

Self signed certs are really only useful to get you out of trouble when you can't get these role certificates signed by a proper CA (public CA or private PKI).

 

vsurresh
Beginner

Thanks for your response @Arne Bier . 

 

I thought the self-signed certificate is signed by the ISE CA, my bad.

 

Is there a way to generate a system certificate (EAP and Admin) and get it signed by the ISE CA. I can then install the ISE root CA on my client machines so, they can verify the EAP,Admin certs presented to them during the TLS initiation. 

 

At the moment I don't have a private PIK in my lab hence going this route. 

 

Regards

Arne Bier
VIP Advisor

Hello again @vsurresh 

 

Sure you can do that. I did it recently for a two node ISE deployment, where the customer had no PKI and they didn't want to issue any publicly signed certs for EAP or Admin.

Here is the process

1) Create a CSR for each ISE node - ideally create a CSR for Admin only, and then create another CSR for EAP. The reason I separate these is that you can then work with them individually (replacing an EAP cert in future without impacting the Admin role and vice-versa. Some folks just do the multi-use.)

2) Export the CSR PEM file and save them to a folder - rename the files if required to remind yourself which role and what node they are for

3) Go back to ISE and select pxGrid menu (Adminisration > pxGrid Service > Certificates.  Choose from drop down meny ' I want to generate single certificate with signing request'

4) In the details field paste the CSR for ISE01 EAP role (just for starters) - put a useful description like "ISE01 EAP Cert' - in Download format choose the PEM format. Enter an easy to remember password and then click create (no need to configure a SAN)

5) DOnwload the resulting cert (in a zip file - extract it and rename the file if need be to keep things clear)

6) Go into ISE Certificates, Certificate Signing Requests, select the ISE01 EAP CSR and then click 'bind' - feed the certificate that you just created with pxGrid. Just check the .zip file - it will contain main files. Only one of them is the certificate itself.

That's it. You will have create an EAP cert for ISE01 that has a CA chain of ISE Internal Root CA, Node CA, and Endpoint Services CA (issuing CA)

 

EAP cert.png

 

The ZIP file contains the entire CA chain (including of course the Root CA cert) for your clients.

 

Then repeat the process for ISE 02. 

My output is a bit weird because due to unforseen circumstances, ISE02 was the root CA - it's an artifact of how the now was deployed (it was the first node in the deployment - hence the Root CA was assigned to ISE02 - normall if ISE01 had been built first, then it would be in the Root CA's Subject)

vsurresh
Beginner

@Arne Bier Thank you so much for taking the time to explain, really appreciate your effort. I will test this in my home lab.

 

Can I, on the other hand, generate a self-signed certificate for Admin or EAP then export the certificate and install it on my client machine trusted cert store? I believe this would bypass the root CA check right? When I initiate EAP-PEAP session from the client, ISE would present the self-signed certificate which is trusted by the client already. Did I get this right? I always get confused with the certificate. 

In a nutshell, we can implement EAP-PEAP in two ways.

1. Create a system certificate for EAP, get it signed by internal or public CA. Install the Root CA's certificate on the client machine. Now the client is going to trust the ISE EAP server certificate.

 

2. Create a self-signed EAP cert on ISE. Export and install this cert on the client machine. 

 

Are these valid options? In the production, of course, I would go with option 1. 

Thanks

 

 

 

Arne Bier
VIP Advisor

Hello mate

 

Option 1 will work as long as the self-signed cert contains the 'CA' flag enabled. For example, you can't outright export the ISE EAP cert and install it on a client and expect the client to trust that cert. If the ISE EAP cert was signed by another CA then the client will not accept the ISE EAP cert as a 'root'.  You can validate that with wpa_supplicant in your lab (BTW, see my blog series part 2 on how to do this). On the other hand, if ISE EAP cert is a self-signed cert, then it will contain the CA flag, and then the client will honour that and accept it, assuming that the client has the ISE EAP self-signed cert installed in its trust store.

 

Example below of an ISE self-signed cert

example.png

 

WPA Supplicant is a great way to test all this on a Linux cli. I currently don't have a self-signed cert installed for my ISE EAP server - but perhaps you can give it a go.

 

vsurresh
Beginner

Perfect. That makes sense now. I just went through your blog post and is very informative.

Thanks again for the great explanation. 

Create
Recognize Your Peers
Content for Community-Ad