This document is for Cisco Engineers and customers deploying who are interested in deploying Cisco Identity Services Engine (ISE) 2.1 Internal Certificate Authority (CA) for Cisco platform Exchange Grid (pxGrid clients). This serves as a replacement for using an external CA server such as Microsoft and a customized pxGrid template for deploying to pxGrid ecosystem partners and Cisco Security Solutions.
This eases pxGrid deployment by using ISE as the CA server. Cisco Security Solutions and pxGrid ecosystem client certificates are generated and issued by the ISE certificate-provisioning portal using a built-in pxGrid template.
The pxGrid client certificate can either be in Privacy Enhanced Mail (PEM) or Public-Key Cryptography Standards (PKCS12) format pending how the solution is implemented with pxGrid. The PEM format is a base64 translation of the X509 ASN.1 keys and contains the certificate public-private key pairs of the pxGrid client, the ISE CA root certificate, the ISE EndpointSubCA, and the ISE Services node certificate. The PKCS 12 file originally defined by RSA in the Public-Key Cryptography Standards contains both the public and private key certificate pairs and is fully encrypted unlike PEM files.
pxGrid “C” client implementations will use the PEM format for their certificates. pxGrid client “Java” client implementations will use the PKCS 12 file format and convert this over to use the Java keystore, which is the “truststore” of the security solution.
This document describes the procedure for configuring the ISE certificate provisioning portal and provides use-case examples for generating and issuing the pxGrid certificates for the following pxGrid clients:
- Cisco Firesight 5.4
- Cisco Firepower 6.1
- Splunk for ISE Add-on 2.20 (can be used for other security solutions using java keystores)
- Stealthwatch 6.8.2
- Cisco Web Security Appliance 9.0.1 build 162