HON’s Wiki # Cisco Identity Services Engine (ISE)

Home / Networking

Contents

• Certificate Administration

I keep most of my Cisco notes elsewhere, sorry.

Certificate Administration

• Certificate types:
  • System certs: Per node.
  • Trusted certs: CA certs used to trust leaf certs for various uses. Replicated to all nodes.
  • Issued certs: Certs issued by ISE. E.g. for endpoints, ISE messaging and pxGrid services.
• System certs:
  • Leaf certs for ISE nodes and node-associated services. E.g. for admin page, EAP, RADIUS-DTLS, portals, SAML, pxGrid etc.
  • Configured for each node, but certs may for certain services be shared by all nodes if configured properly.
  • May use a single cert for all services or different for all. However, certain services like pxGrid and SAML should have separate certs.
  • pxGrid cert requires both server auth and client auth usages enabled, should therefore use separate cert.
  • The admin cert is used for admin web UI, admin web API, communication between ISE nodes and communication between ISE nodes and external services.
  • Most (all?) system certs should be public CA signed since many of the services are web-based.
  • Changing admin cert causes the ISE node to restart.
• Trusted certs:
  • CA certs used to trust leaf certs for various uses.
  • Replicated to all nodes.
  • When adding new system certs, the upper CA cert should be added as trusted for appropriate services.
  • When adding new nodes with self-signed certs, their certs are automatically added to trusted certs to allow for trusted communication. This does not happen if a cert signed by a trusted cert is already present on the new node.
• Issued certs:
  • Should use a CA cert signed by a corporate or public CA. (Why not a private CA?) Uses a self-signed CA cert by default.

---

hon.one | HON95/wiki | Edit page