cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1763
Views
3
Helpful
9
Replies

ISE PKI CA modification

jaime.pedraza
Level 1
Level 1

Hello everyone,

At this moment I have a two nodes ISE platform being subordinate CA of a Microsoft Root CA. The deployment needs to include two PSN.

I have looked for detailed information about PKI and the procedure to do this architecture change without affecting the platform. Does any one have links with technical info about It? Many thanks in advance.

9 Replies 9

kthiruve
Cisco Employee
Cisco Employee

Hi,

What version of ISE are you using? There has been changes in CA architecture in ISE in past versions.

Also, if ISE PAN is a subordinate CA, are you saying you are issuing certificates from ISE?

Here are some options

1. If you are issuing certificates only from MS root, you can get the certificate for both the PSN from the same. By doing this, the node to node communication will be much easier since the root CA is already trusted in PAN. All you need is add MS root in trusted store in PSN. You can generate a CSR from ISE to do this. Here is a link to this

Cisco Identity Services Engine Administrator Guide, Release 2.0 - Manage Certificates [Cisco Identity Services Engine] …

2. You can also generate a certificate using the DNS/FQDN from MS CA and import the cert + key in ISE PSN.

3. Finally there is an option of wildcard certificate. Independent of the DNS name by using wild card certificate you can expand upto any number of PSN's. You can replace the regular certificate with wild card certificates on specific or all the nodes. You can see the link above to get more information.

Hope it helps.

Thanks

Krishnan

Hello Krishnan,

Many thanks for your help. We are upgrading to 2.1. The actual architecture has two nodes with the three personas. The objective is to have 4 nodes (2PAN and 2PSN). The Root CA is a MS CA. Our doubts are related to:

- What is the correct configuration to keep the certificate chain consistent, and do not affect all the onboarded devices with certificates given by the PAN, deploy the new PSN and trust in the certificates given by the PAN to the PSNs, or configure the PSNs as subordinate CA too?


- What other considerations do we need to have to guarantee the minimum service outage?


Regards,


Jaime


hslai
Cisco Employee
Cisco Employee

Has the upgrade occurred already? Are you still seeking answers?

Hello Hslai,

No, we haven't done the upgrade. Many questions yet. The architecture is simple: the RootCA is Microsoft, today there are two nodes with 3 Personas each and are already SubordinateCA. The Nodes issue certificates for onboarding and use their own certificate for portals.

Now, in version 2.1 Aaron Woland talked about 4 certificates when a PSN is deployed, but I think is still needed to have the RootCA previously loaded on PSNs to do this. Another question is: When the new node is joined to the deployment, the new method automatically turns it into a Subordinate CA (and the PSN now generates the certificates for onboarding), is it correct?

Many thanks in advance for all your comments and help!

Regards,

Jaime

hslai
Cisco Employee
Cisco Employee

Are you upgrading from ISE 1.3 or 1.4 to ISE 2.1? If so, the ISE internal CA structure would not change until you replace it and any new node added will have its ISE internal CA certificates issued the same way as before.

You are correct that Microsoft RootCA would need imported and trusted for client auth, as long as ISE internal CA acting as SubCA to Microsoft CA.

Hslai, thanks! Unfortunately I am not certain if the customer had 1.4 initially or started with 2.0. The new PSNs are enrolled as SubordinateCAs automatically, or this procedure has to be done manually? The architecture described by Cisco on the config guide tells about PSNs becoming 3rd level Subordinate CA in this scenario, but form me it is unclear if this enrollment is done just joining the PSNs, or some steps have to be done manually.

hslai
Cisco Employee
Cisco Employee

Aaron presented it in a couple revenues; e.g. Advanced ISE Services, Tips and Tricks (2016 Las Vegas)

Below are ISE CA slides you might have already seen. The first is ISE 1.3 and 1.4 and the other two are ISE 2.0+.

Screen Shot 2017-01-18 at 5.18.23 PM.png

Screen Shot 2017-01-18 at 5.19.14 PM.pngScreen Shot 2017-01-18 at 5.20.55 PM.png

Even though they do not show the ISE CA signed by an external PKI. You may add a tier above the ISE Root CA in that case so that ISE CA chain in ISE 2.0+ will be MS AD CS root-CA -> ISE intermediate CA -> Node CA -> EP_CA -> Endpoint certs.

Screen Shot 2017-01-18 at 5.31.17 PM.png

Thus, you may determine whether the ISE deployment uses dual root or single root.

Thanks Hslai,

Is there any way to verify if the "Replace Root CA" was indeed performed?

After the replace operation, both old and new certificate chains will show in ISE admin web UI and the ISE admin may delete the old chain if it no longer of use.

This shows two sets of ISE CA cert chains.

Screen Shot 2017-02-15 at 10.55.16 PM.png

And, the Change Configuration Audit has an entry

Screen Shot 2017-02-15 at 10.56.56 PM.png

It's more reliable to check cert hierarchy to verify whether using single or dual root.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: