06-11-2016 12:02 AM
Hello
I am looking for directions to how to guides or configuration examples on how ISE PSN can be used as Intermediate CA (Root CA being corporate Microsoft CA). Routers / ASA Firewalls auto-enrol certificate request to ISE which can issue the certificate as intermediate CA, purpose of these certificates Routers / Firewalls can use for configuration of IPSec VPN.
Many Thanks,
Rakesh
Solved! Go to Solution.
06-12-2016 08:50 PM
Hi
Here is the documentation of Cisco:
http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_0111.html
It's very simple to set ise as intermediate ca. ISE will use SCEP protocol to distribute certificate. Look paragraph ISE CA Issues Certificates to ASA VPN User.
In few words, After importing root ca and when you activate ise as ca server, You will generate a csr from ISE. generate on windows the intermediate certificate for ISE based on this csr. While generated bound this certificate to the csr in ISE.
That's it.
Don't worry, the steps are described quite well in ISE.
There is a great video, I always recommend to beginner, from labminutes; who are doing a great job: http://www.labminutes.com/sec0187_ise_13_internal_certificate_authority_ca_setup_2
What you need to know is that you'll not be able to create specific template on ISE like you were doing on Windows.
PS: if this solved your issue don't forget to rate and mark as correct answer
Thanks
06-12-2016 08:50 PM
Hi
Here is the documentation of Cisco:
http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_0111.html
It's very simple to set ise as intermediate ca. ISE will use SCEP protocol to distribute certificate. Look paragraph ISE CA Issues Certificates to ASA VPN User.
In few words, After importing root ca and when you activate ise as ca server, You will generate a csr from ISE. generate on windows the intermediate certificate for ISE based on this csr. While generated bound this certificate to the csr in ISE.
That's it.
Don't worry, the steps are described quite well in ISE.
There is a great video, I always recommend to beginner, from labminutes; who are doing a great job: http://www.labminutes.com/sec0187_ise_13_internal_certificate_authority_ca_setup_2
What you need to know is that you'll not be able to create specific template on ISE like you were doing on Windows.
PS: if this solved your issue don't forget to rate and mark as correct answer
Thanks
06-26-2016 02:58 AM
Great many thanks..!
06-26-2016 04:38 AM
You're very welcome
11-25-2016 06:53 AM
I'm in the same situation, running internal CA on ISE with PSN nodes as Sub-CA's. I cannot get IOS routers get CA root/sub certs and enrol to get their own signed certs.
Is there an example out there that shows how to get Cisco IOS routers to do this with ISE?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: