Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
452
Views
5
Helpful
3
Replies

Using ISE CA to sign CSRs

Go to solution
cat5__utp
Level 1
Level 1

‎10-23-2017 03:03 AM

I have an ISE deployment that is currently using AD for auth of users. I would like to use certificates to verify the machine identity, one thing that is holding me back is that the deployment has no PKI.

As ISE can function as a CA, is it possible to create CSRs on the endpoints and then use the ISE CA to sign them? These are static endpoints and not BYOD, so once the certs are pushed out there is little ongoing admin.

1 Accepted Solution

Accepted Solutions

Go to solution
gbekmezi-DD
Level 5
Level 5

‎10-23-2017 09:48 AM

Does this help?

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/certificate_provisioning/b_certificateprovisioningportalFAQs.html#reference_BCF69D6F74A547AB93079B75B94231A2__Q1

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200534-ISE-2-0-Certificate-Provisioning-Portal.html

View solution in original post

3 Replies 3

Go to solution
gbekmezi-DD
Level 5
Level 5

‎10-23-2017 09:48 AM

Does this help?

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/certificate_provisioning/b_certificateprovisioningportalFAQs.html#reference_BCF69D6F74A547AB93079B75B94231A2__Q1

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200534-ISE-2-0-Certificate-Provisioning-Portal.html

Go to solution
cat5__utp
Level 1
Level 1
In response to gbekmezi-DD

‎10-27-2017 01:27 AM

HI, Thank you so much for your helpful answer, thats cleared it up for me. Certificate signing requests was indeed what I was looking at instead of cloud services routers.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-23-2017 10:10 AM

If CSRs as in certificate signing requests and if they are conforming to the certificate templates in ISE, then ISE may sign them as George already pointed out.

In case CSR as in Cisco Cloud Services Router, then ISE internal CA is not currently supporting to issue certificates for Cisco IOS devices, last I checked. It's because Cisco IOS requiring the certificate with Key-encipherment, digital-signature, or both, and the CA certificates in ISE internal CA chains are not meeting that.

Customers Also Viewed These Support Documents