Certificate Installation on ACS

First we will start with Root CA Certificate installation:

Login to Certificate server http://<ip or xyz>/certsrv

Click on “Download a CA Certificate, certificate chain or CRL


Select the Encoding Method „Base 64“and click on Download CA certificate.



Save it to a location on our file system.

Now we have Root CA, it’s time to install Root CA on ACS.

Login to ACS, go to Users and Identity Stores > External Identity Stores > Certificate Authorities

Click on Add.


Now Browse the Root CA, tick the check box “Trust for client with EAP-TLS” (Specially for EAP-TLS authentication) otherwise we will get error…example: 12514 (Failed SSL/TLS handshake)

Then click on Submit.


Now we will Download /Install the ACS local server Certificate:

We must use these steps:

  1. Go to System Administration > Local Certificates, then click on Add
  2. Select Generate Certificate Signing Request:
  3. Fill the Certificate Subject name, Key length. Click Submit.


Select third option “Generate Certificate Signing Request


Click Next.

Enter the Certificate subject name.

Choose key length to 1024 or 4096 (Max value).


Click Finish, this prompt will popup.


Click OK. Now we can this signing request under Outstanding signing Request.


Now Tick the request and click Export.


Save it and open in notepad.


Copy it

Login backup to certificate server and this time click on Request a Certificate.




Paste the certificate signing request here (Which we opened in notepad)

**Select Web Server


Download the Base 64 coded certificate. Click “Download certificate



Save it.

Now login again to ACS, select Bind CA signed Certificate


Click Next, browse the Certificate here.

Also tick EAP and Management interface and click Submit.



Select OK and Click Finish.

Sometime we need to reboot ACS to complete the certificate installation.

That’s all About ACS certificate installation 🙂

Provisioning CA and Server Certificates on Cisco ISE

Provision both ISE nodes with the CA root certificate and their own individual server certificates
(generated by certificate signing requests).

Relevant documentation:

CA Certificate

  1. First, download the Root CA Certificate from your Certificate Authority
  2. http://<ca>/certsrv/
  3. Click “Download a CA certificate, certificate chain, or CRL

Download CA


DER Format

  1. Encoding method should be „DER
  2. Click “Download CA Certificate

Save File

Save it to a location on your file system.

  1. On ISE go to Administration > System > Certificates > Certificate Store. Click “Import
  2. Click Browse and locate the root CA Certificate.
  3. Tick “Trust for Client Authentication”. If you don’t you may see failures with “12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain” when using EAP-TLS
  4. Click “Submit”.

ISE Certificate

The CA Certificate will appear alongside the original self-signed certificate generated by ISE.

Certificate Store

If you have 2 or 3 ISE nodes then you must repeat these steps for Root CA.

 ISE Local Server Certificates

  1. On each node go to Administration > System > Certificates > Local Certificates
  2. Click Add > Generate Certificate Signing Request
  3. Fill in the CN with the ISE nodes FQDN and any other relevant fields. Click “Submit

ISE Local

  1. Go to Administration > System > Certificates > Certificate Signing Requests.
  2. Tick the request and click export.



Open Notepad

  1. Save the request onto your computer and open it in notepad.
  2. On your Microsoft CA Server (//<ca>/certsrv/ ) go to Request Certificate > Advanced certificate request >
  3. Paste the contents of the CSR into the request field and select “Web Server” as the template.

Request a Certificate

Advanced Ceri Request


Renewl Request

  1. Click Submit
  2. Download the DER encoded certificate. Click “Download Certificate
  3. On ISE go to go to Administration > System > Certificates > Local Certificates
  4. Click “Add” > “Bind CA Certificate
  5. Select the certificate from your computer. Tick “EAP” and “Management Interface” and click “Submit

Bind CA

Bind CA Certificate

  1. ISE will need to reload to complete the certificate installation.
  2. Perform this task on all nodes in the deployment before joining them together.