Provisioning CA and Server Certificates on Cisco ISE

Provision both ISE nodes with the CA root certificate and their own individual server certificates
(generated by certificate signing requests).

Relevant documentation:

CA Certificate

  1. First, download the Root CA Certificate from your Certificate Authority
  2. http://<ca>/certsrv/
  3. Click “Download a CA certificate, certificate chain, or CRL

Download CA


DER Format

  1. Encoding method should be „DER
  2. Click “Download CA Certificate

Save File

Save it to a location on your file system.

  1. On ISE go to Administration > System > Certificates > Certificate Store. Click “Import
  2. Click Browse and locate the root CA Certificate.
  3. Tick “Trust for Client Authentication”. If you don’t you may see failures with “12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain” when using EAP-TLS
  4. Click “Submit”.

ISE Certificate

The CA Certificate will appear alongside the original self-signed certificate generated by ISE.

Certificate Store

If you have 2 or 3 ISE nodes then you must repeat these steps for Root CA.

 ISE Local Server Certificates

  1. On each node go to Administration > System > Certificates > Local Certificates
  2. Click Add > Generate Certificate Signing Request
  3. Fill in the CN with the ISE nodes FQDN and any other relevant fields. Click “Submit

ISE Local

  1. Go to Administration > System > Certificates > Certificate Signing Requests.
  2. Tick the request and click export.



Open Notepad

  1. Save the request onto your computer and open it in notepad.
  2. On your Microsoft CA Server (//<ca>/certsrv/ ) go to Request Certificate > Advanced certificate request >
  3. Paste the contents of the CSR into the request field and select “Web Server” as the template.

Request a Certificate

Advanced Ceri Request


Renewl Request

  1. Click Submit
  2. Download the DER encoded certificate. Click “Download Certificate
  3. On ISE go to go to Administration > System > Certificates > Local Certificates
  4. Click “Add” > “Bind CA Certificate
  5. Select the certificate from your computer. Tick “EAP” and “Management Interface” and click “Submit

Bind CA

Bind CA Certificate

  1. ISE will need to reload to complete the certificate installation.
  2. Perform this task on all nodes in the deployment before joining them together.

4 thoughts on “Provisioning CA and Server Certificates on Cisco ISE

  1. Could this be used to get Android/iOS devices to trust other certs issued by the MS AD CA? Since they cannot join domain.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s