Skip to content
  • There are no suggestions because the search field is empty.

Install a Third-Party CA-signed Certificate in ISE

Step-by-step guide to generate, import, and bind a third‑party CA certificate in Cisco ISE

 

Step‑by‑step procedure

Step 1: Generate Certificate Signing Request CSR

  1. In ISE go to Administration > Certificates > Certificate Signing Requests and click Generate Certificate Signing Requests (CSR).
  2. Under Usage, select the certificate role (or Multi‑use). Select the target node and fill OU, O, City, State, Country; CN is auto-filled with node FQDN. Optionally enable Allow Wildcard Certificates but avoid * in CN for EAP use—put wildcard in SAN instead.
  3. Export the generated CSR and submit it to your third‑party CA for signing.

Step 2: Import Server Certificate and Chain

  1. Import any Root and Intermediate certificates first via Administration > Certificates > Trusted CertificatesImport; mark applicable trust checkboxes.
  2. Return to Administration > Certificates > Certificate Signing Requests, select the CSR you created and click Bind Certificate. Choose the signed server certificate location; ISE binds it to the stored private key.
  3. If Admin role was selected, expect service restarts; plan downtime for Primary Admin Node deployments.

Verification

  • Load the ISE admin page in a browser and inspect the certificate lock icon to confirm the full chain is trusted by the client machine (this indicates the browser trusts the chain, not necessarily that ISE sent the full chain) .
  • For EAP authentication, capture and inspect the TLS handshake (tcpdump + Wireshark) and filter ssl.handshake.certificates to confirm ISE is sending the full certificate chain in the EAP-Message attributes.

Troubleshooting and common issues

  • Supplicant rejects ISE certificate: Verify ISE is sending the full chain; if chain is incomplete, import missing Root/Intermediate certs into ISE Trusted Certificates.
  • Chain present but endpoint still rejects: Ensure the Root/Intermediate certs are installed in the client’s local trust store (user or machine store, depending on authentication type) .
  • Wildcard CN problems: Some CAs may insert * into CN automatically—request a CA policy exception if needed to avoid EAP failures.

Risks and recommendations

  • Service restarts when binding Admin certificates can cause brief outages; perform during maintenance windows.
  • Windows supplicants are sensitive to CN wildcards—use SAN entries for wildcard coverage and test with representative clients before rollout.
  • Always validate the Subject Key Identifier (SKI) and Authority Key Identifier (AKI) chain if you suspect chain mismatches.

Related resources

  • Cisco Identity Services Engine Administrator Guide Release 3.0 for deeper configuration context and examples.