cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

How To: Deploying Certificates with pxGrid: CA-signed ISE pxGrid Node and CA-signed pxGrid Client

7749
Views
2
Helpful
6
Comments

This document illustrates the configuration steps required for configuring a pxGrid client and the ISE pxGrid node using a certificate authority. This document is intended for Cisco field engineers, technical marketing engineers, partners and customers deploying Cisco pxGrid. Familiarity with pxGrid is required.

Comments
Enthusiast

This document illustrates the configuration steps required for configuring a pxGrid client and the ISE pxGrid node using a certificate authority. This document is intended for Cisco field engineers, technical marketing engineers, partners and customers deploying Cisco pxGrid. Familiarity with pxGrid is required.

Hi @thomas_Howard. Following my search for integration between ISE and FMC using PxGrid, I found your post and wanted to thank you for it.

In the meantime I had a question regarding this guide which has references to "PxGrid Node" (or ISE) and "PxGrid Client". Actually I need the exact same procedure in my lab between ISE and FMC 6.2.2. What I didn't managed to grasp from the guide is the device on which you used "openssl" tool. Did you use openssl on ISE or what? regarding my case, do I need to use "openssl" on my FMC CLI, and if yes, which part of those commands are needed to be issued on FMC? All of them?

Also, you have mentioned that this is the procedure for ISE in standalone mode. I have two ISE nodes in my lab. Do I need to do the exact same procedure on every one of my ISE devices, or it will going to be done just on Primary PAN node?

Thanks for your time.

Cisco Employee

Since your lab has ISE and FMC 6.2.2, Deploying Cisco Stealthwatch 6.9 with Cisco Identity Services Engine (ISE) 2.2 using Cisco Platform Exchange Grid (pxGrid) might be more appropriate. If you have further question, please start a new discussion. You may also want to look at other content by our pxGrid SME jeppich

Cisco Employee

Hey Hossein,

Please see Deploying pxGrid in an ISE productional environment: How to Configure pxGrid in ISE Production Environments

This all depends if you are using the ISE internal CA or an external CA server.

Please unicast me if you have further questions.

Thanks,

John

jeppich@cisco.com

Enthusiast

Hi;

I was actually following the procedure stated on that same document but stuck at the point where we should use "openssl" to create a pkcs12 package. The command needs CA root certificate but I couldn't find how to copy that file onto FMC. this is what I got:

admin@firepower:~$ openssl pkcs12 -export -out firepower.p12 -inkey firepower.key -in pxGridClient.csr -chain -CAfile xinmix-root-ca-certificate.cer 

unable to load certificates

I also didn't managed to find FMC CLI which explains file management but I got some texts stating it is locked and cannot be accessed by users!

Cisco Employee

Hey Hossein,

You can use WINSCP to copy over the CA root certificate.  Also please make sure you have a customized pxGrid template with an EKU of both client authentication and server authentication.

Please log in as root.

You can also use the following guide as reference:How To: Integrate Firepower Management Center (FMC) 6.0 with ISE and TrustSec through pxGrid

Thanks,

John

jeppich@cisco.com

Enthusiast

Hi;

Thank you all for your help. I used SFTP (SecureFX program) to copy certificates from PC to ISE and then was able to issue "openssl" commands to generate CSR.