Solved: Cisco ISE issue Router Certificate

Rakesh Kumar · ‎06-11-2016

Hello

I am looking for directions to how to guides or configuration examples on how ISE PSN can be used as Intermediate CA (Root CA being corporate Microsoft CA). Routers / ASA Firewalls auto-enrol certificate request to ISE which can issue the certificate as intermediate CA, purpose of these certificates Routers / Firewalls can use for configuration of IPSec VPN.

Many Thanks,

Rakesh

Francesco Molino · ‎06-12-2016

Hi

Here is the documentation of Cisco:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_0111.html

It's very simple to set ise as intermediate ca. ISE will use SCEP protocol to distribute certificate. Look paragraph ISE CA Issues Certificates to ASA VPN User.

In few words, After importing root ca and when you activate ise as ca server, You will generate a csr from ISE. generate on windows the intermediate certificate for ISE based on this csr. While generated bound this certificate to the csr in ISE.

That's it.

Don't worry, the steps are described quite well in ISE.

There is a great video, I always recommend to beginner, from labminutes; who are doing a great job: http://www.labminutes.com/sec0187_ise_13_internal_certificate_authority_ca_setup_2

What you need to know is that you'll not be able to create specific template on ISE like you were doing on Windows.

PS: if this solved your issue don't forget to rate and mark as correct answer

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎06-12-2016

Hi

Here is the documentation of Cisco:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_0111.html

It's very simple to set ise as intermediate ca. ISE will use SCEP protocol to distribute certificate. Look paragraph ISE CA Issues Certificates to ASA VPN User.

In few words, After importing root ca and when you activate ise as ca server, You will generate a csr from ISE. generate on windows the intermediate certificate for ISE based on this csr. While generated bound this certificate to the csr in ISE.

That's it.

Don't worry, the steps are described quite well in ISE.

There is a great video, I always recommend to beginner, from labminutes; who are doing a great job: http://www.labminutes.com/sec0187_ise_13_internal_certificate_authority_ca_setup_2

What you need to know is that you'll not be able to create specific template on ISE like you were doing on Windows.

PS: if this solved your issue don't forget to rate and mark as correct answer

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Rakesh Kumar · ‎06-26-2016

Great many thanks..!

Francesco Molino · ‎06-26-2016

You're very welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Bilal Nawaz · ‎11-25-2016

I'm in the same situation, running internal CA on ISE with PSN nodes as Sub-CA's. I cannot get IOS routers get CA root/sub certs and enrol to get their own signed certs.

Is there an example out there that shows how to get Cisco IOS routers to do this with ISE?

Please rate useful posts & remember to mark any solved questions as answered. Thank you.