Ask a Question

Managed PKI for SSL - Installation Instructions for Cisco ISE

Solution


This document provides installation instructions for Cisco ISE. If you are unable to use these instructions for your server, Symantec recommends that you contact the server vendor or the organization, which supports ISE.
 

Step 1: Obtain the SSL Certificate

  1. Once your Managed PKI for SSL administrator has approved your Certificate request, you will receive an email with
    a certificate download link, also attached (cert.cer), as well as in the body of the email itself.
  2. If copying the certificate imbedded in the body of the email, paste it into a text file using Vi or Notepad.
    NOTE: Do not use Microsoft Word or other word processing programs that may add characters.
    Confirm that there are no extra lines or spaces in the file.

    The text file should look like:

    -----BEGIN CERTIFICATE-----
              [encoded data]
    -----END CERTIFICATE-----

    NOTE: Click here to download the certificate from your Managed PKI for SSL subscriber services page.
    Please select X.509 as a certificate format and copy only the End Entity Certificate.
     
  3. Save the certificate as public.cer


Step 2: Download the Symantec intermediate CA certificate

  1. Go to  Symantec Intermediate CA Certificates page.
  2. Click on Managed PKI for SSL tab, click on the appropriate link for your SSL certificate.
    For example, if you are installing a Premium SSL Certificate, click the Premium Intermediate CA Certificate link.
  3. Under Intermediate CA, select the appropriate intermediate CA for your SSL certificate type.
  4. Copy the intermediate CA and paste it into a plain text editor such as Notepad.
  5. Make sure there are 5 dashes to either side of the BEGIN CERTIFICATE and END CERTIFICATE and that no white spaces,
    extra line breaks or additional characters have been inadvertently added.
  6. Save the file as intermediate.cer.


Step 3: Install the SSL Certificate

  1. Choose Administration > System > Certificates.
  2. From the Certificate Operations navigation pane on the left, click Local Certificates
    NOTE: To import a local certificate to a secondary node, choose Administration > System > Server Certificate.
  3. Choose Add > Import.
  4. The Import Server Certificate page appears as shown bellow.



     
  5. Click Browse to choose the certificate file and the private key from the system that is running your client browser.
  6. If the private key is encrypted, enter the password to decrypt it.
  7. In the Protocol area:
  • Check the EAP check box to use this certificate for EAP protocols to identify the Cisco ISE node.
  • Check the Management Interface check box to use this certificate to authenticate the web server (GUI).
    NOTE: If you check the Management Interface check box, ensure that the CN value in the Certificate Subject is the fully qualified
    domain name (FQDN) of the node. Otherwise, the import process will fail.
     
  1. In the Override Policy area, check the Replace Certificate check box to replace an existing certificate with a duplicate certificate.
    NOTE: A certificate is considered a duplicate if it has the same subject or issuer and the same serial number as an existing certificate.
    This option updates the content of the certificate, but retains the existing protocol selections for the certificate.
  2. Click Submit to import the local certificate.
    NOTE: If you import a local certificate to your primary Cisco ISE node, you must restart the secondary nodes connected to your primary
    Cisco ISE node. To restart the secondary nodes, from the command-line interface (CLI), enter the following commands:

    a. application stop ise

    b. application start ise
     

Step 4: Install the intermediate CA certificates

  1. Choose Administration > System > Certificates.
  2. From the Certificate Operations navigation pane on the left, click Certificate Authority Certificates.
  3. The Certificate Authority Certificates page appears.
  4. Click Add.
  5. The Import a new Trusted CA (Certificate Authority) Certificate page appears as shown bellow.


     
  6. Click Browse to choose the certificate authority certificate from the file system that is running the client browser.
  7. Check the Trust for client with EAP-TLS check box if you want to use this certificate in the trust list for EAP-TLS protocols.
    NOTE: If you check the Trust for client with EAP-TLS check box, ensure that the keyUsage extension is present and the
    keyCertSign bit is set, and the basic constraints extension is present with the CA flag set to true.
  8. Add an optional description.
  9. Click Submit to save the certificate authority certificate.
    NOTE: If you add a certificate authority certificate to your primary Cisco ISE node, you must restart the secondary nodes connected to your primary Cisco ISE node.
    To restart the secondary nodes, from the command-line interface (CLI), enter the following commands:

    a. application stop ise

    b. application start ise
     
  10. Verify your installation with the Symantec Crypto Report


Cisco

         For more information refer to Cisco ISE documentation