cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
configure & troubleshoot anyconnect
452
Views
0
Helpful
4
Replies
Beginner

Cisco ISE issue Router Certificate

Hello 

I am looking for directions to how to guides or configuration examples on how ISE PSN can be used as Intermediate CA (Root CA being corporate Microsoft CA). Routers / ASA Firewalls auto-enrol certificate request to ISE which can issue the certificate as intermediate CA, purpose of these certificates Routers / Firewalls can use for configuration of IPSec VPN.

Many Thanks,

Rakesh

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor

Hi

Hi

Here is the documentation of Cisco:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_0111.html

It's very simple to set ise as intermediate ca. ISE will use SCEP protocol to distribute certificate. Look paragraph ISE CA Issues Certificates to ASA VPN User.

In few words, After importing root ca and when you activate ise as ca server, You will generate a csr from ISE. generate on windows the intermediate certificate for ISE based on this csr. While generated bound this certificate to the csr in ISE.

That's it. 

Don't worry, the steps are described quite well in ISE.  

There is a great video, I always recommend to beginner, from labminutes; who are doing a great job: http://www.labminutes.com/sec0187_ise_13_internal_certificate_authority_ca_setup_2

What you need to know is that you'll not be able to create specific template on ISE like you were doing on Windows. 

PS: if this solved your issue don't forget to rate and mark as correct answer 

Thanks 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
4 REPLIES 4
VIP Advisor

Hi

Hi

Here is the documentation of Cisco:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_0111.html

It's very simple to set ise as intermediate ca. ISE will use SCEP protocol to distribute certificate. Look paragraph ISE CA Issues Certificates to ASA VPN User.

In few words, After importing root ca and when you activate ise as ca server, You will generate a csr from ISE. generate on windows the intermediate certificate for ISE based on this csr. While generated bound this certificate to the csr in ISE.

That's it. 

Don't worry, the steps are described quite well in ISE.  

There is a great video, I always recommend to beginner, from labminutes; who are doing a great job: http://www.labminutes.com/sec0187_ise_13_internal_certificate_authority_ca_setup_2

What you need to know is that you'll not be able to create specific template on ISE like you were doing on Windows. 

PS: if this solved your issue don't forget to rate and mark as correct answer 

Thanks 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Beginner

Great many thanks..!

Great many thanks..!

VIP Advisor

You're very welcome 

You're very welcome 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted
Engager

I'm in the same situation,

I'm in the same situation, running internal CA on ISE with PSN nodes as Sub-CA's. I cannot get IOS routers get CA root/sub certs and enrol to get their own signed certs.

Is there an example out there that shows how to get Cisco IOS routers to do this with ISE?

Please rate useful posts & remember to mark any solved questions as answered. Thank you.