Re: Cisco ISE, EAP self signed certs and iPhones

latintrpt · ‎06-11-2019

Hi Guys -

I'm a little new to Cisco ISE and looking for guidance.

I have two EAP self signed certs for two different ISE servers that I'm using to authenticate wireless user's using PEAP.

Everything is working fine but I need to figure out how to manually push these certs to iPhones via Apple Configurator 2. When I export the self the signed certs out of ISE, they are presented to me in a .PEM format. When trying to use the Apple Configurator 2, it is asking for a PKCS1 or PKCS12 file format.

What do I need to do to get these self signed certs on the iPhones to be trusted?

Thanks,

Arne Bier · ‎06-11-2019

Hi @latintrpt

I'll gloss over the part about self-signed certs because that is usually not a good way to do anything, other than for quick and dirty lab testing.

You can convert a cert in PEM format into DER format (aka PKCS1) using openssl - (the syntax varies by which version of OS you have it installed). Using Ubuntu it would go like this (where the input file is Defaultselfsignedservercerti.pem, and the output file is cert.cer)

 openssl x509 -in Defaultselfsignedservercerti.pem -outform DER -out cert.cer

Every version of iOS may be different but the last time I had a look, you could email yourself a cert, and install that cert into the trust store. Then you select that cert and tell it that you want to trust it. It's a two step process.

Probably better done with an MDM if done at scale. Apple Configurator is great but not quite designed for mass deployment purposes.