KB ID 0001068
Cisco ISE arms itself with a self generated certificate out of the box, (well the NFR appliance does anyway). To replace that cert with one signed by your own CA, this is the procedure. (Note: I’m using Microsoft Certificate Services on Server 2012 R2).
Step 1: Import the CA Certificate into ISE
Note: If you have a lot issuing servers it’s a good idea the repeat this procedure for EVERY issuing server you have in your PKI environment. Assuming you have an off-line root that would be every SubCA (to use Microsoft terminology). On my test network I only have one so that’s not a problem.
3. Save the certificate where you can find it, with a sensible name.
4. Log into ISE > Administration > System > Certificates > Certificate Store > Import.
5. Import the certificate you just saved and tick the ‘Trust for client authentication or secure Syslog services’ option > Submit.
Step 2: Generate a New Certificate for Cisco ISE
6. Whilst still in the certificate section > Local Certificates > Add > Generate Certificate Signing Request.
8. Certificates > Certificate Signing Requests > Export.
9. Again save it somewhere you can find it easily.
10. Open the PEM file you just created, and copy all the text to the clipboard.
11. Back at you web enrollment portal > Request a certificate.
12. Advanced certificate request.
13. Submit a certificate request by using…
14. Paste in your copied text (make sure no spaces get added to the end, this usually happens, be careful) > Set the template to Web Server (of your own template, if you are not using the default one) > Submit.
Related Articles, References, Credits, or External Links