Cisco ISE – Replace the Self Signed Certificate

KB ID 0001068 


Cisco ISE arms itself with a self generated certificate out of the box, (well the NFR appliance does anyway). To replace that cert with one signed by your own CA, this is the procedure. (Note: I’m using Microsoft Certificate Services on Server 2012 R2).


Step 1: Import the CA Certificate into ISE

Note: If you have a lot issuing servers it’s a good idea the repeat this procedure for EVERY issuing server you have in your PKI environment. Assuming you have an off-line root that would be every SubCA (to use Microsoft terminology). On my test network I only have one so that’s not a problem.

1. Connect to the web enrollment portal of your Certificate services folder > Download a CA Certificate, certificate chain, or CRL.

Cisco ISE Certificates

2. Select DER encoding > Download CA Certificate.

Cisco ISE CA Cert

3. Save the certificate where you can find it, with a sensible name.

Cisco ISE Download Certificate

4. Log into ISE > Administration > System > Certificates > Certificate Store > Import.

Cisco ISE Import Certificates

5. Import the certificate you just saved and tick the ‘Trust for client authentication or secure Syslog services’ option > Submit.

Cisco ISE Root Certificates

Step 2: Generate a New Certificate for Cisco ISE

6. Whilst still in the certificate section > Local Certificates > Add > Generate Certificate Signing Request.

Cisco ISE Generate cert signing request

7. Enter the FQDN of the ISE appliance > Submit.

Cisco ISE Certificates

8. Certificates > Certificate Signing Requests > Export.

Cisco ISE Export PEM

9. Again save it somewhere you can find it easily.

Cisco ISE Save PEM

10. Open the PEM file you just created, and copy all the text to the clipboard.

Cisco ISE Copy Certificate

11. Back at you web enrollment portal > Request a certificate.

Cisco ISE Replace Certificate

12. Advanced certificate request.

Cisco ISE TLS Cert

13. Submit a certificate request by using…

Cisco ISE Cert Services

14. Paste in your copied text (make sure no spaces get added to the end, this usually happens, be careful) > Set the template to Web Server (of your own template, if you are not using the default one) > Submit.

Cisco ISE Domain PKI

15. Select DER encoded > Download certificate > Save it with a name that is recognizable as the ISE appliance.

Cisco ISE Certificates Signed

16. On the ISE web portal > Local Certificates > Add > Bind CA Signed Certificate.

Cisco ISE Bind New Cert

17. Browse to the new cert > Select EAP and HTTPS > Submit.

Cisco ISE Cer file

18. Now remember to connect to the ISE appliance using its FQDN (you did remember to create a record in DNS for it didn’t you?)

At this point if you get an error either the URL is wrong, or you didn’t create a DNS record, or the machine you are on does not trust your issuing servers root certificate.</p?

Cisco ISE replace self generated

Related Articles, References, Credits, or External Links


Author: Migrated

Share This Post On