1. Generate a CSR from ISE
2. Save the CSR in.pem format
3. Follow below step
AAA_UUT_ASR#crypto pki server cisco request pkcs10 terminal pem
PKCS10 request in base64 or pem
% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.
% End with a blank line or "quit" on a line by itself.
-----BEGIN CERTIFICATE REQUEST-----
MIIDEDCCAfgCAQAwZjEbMBkGA1UEAxMSUkFEU2VjLnBvbGFyaXMuY29tMQwwCgYD
VQQLEwNBQUExEDAOBgNVBAoTB3BvbGFyaXMxDDAKBgNVBAcTA0JMUjEMMAoGA1UE
CBMDS0FSMQswCQYDVQQGEwJJTjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAMYSOEQ7Yg+0dxyaT3cGw/x3K0wSaABn/xO4kvF9M7WTxluztBrhOtLCZSsN
X+142RGW1HBYo3KDYQKot2Upff8WaRK5G+lZu/GUW5nNdhfGeEJHvPOd21DQV2sd
WMGjVwv7sVScfTCr40jp1t9wVK3Y9ag4/fSVgje0ybc/2PnssHd08UIJaOQ0idZI
HByuCnlKUK266xYoF/IPi3CeZzk1eCjrTyY8Wb+e79gH1MjoOGz0PlxuLIzvpOpX
mUPbUdAPicARIRruWCERpyH+ZhNt4Sz/rM/qsOFHPCZUubn59cDEJrsmVRS7hcCB
0lA8ZqvKz5tAsbTgDuiwlhJMsI0CAwEAAaBlMGMGCSqGSIb3DQEJDjFWMFQwCwYD
VR0PBAQDAgXgMB0GA1UdDgQWBBTaOaPuXmtLDTJVv++VYBiQr9gHCTATBgNVHSUE
DDAKBggrBgEFBQcDATARBglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQELBQAD
ggEBALUCoU+8+TlmojJYjH+aWq/60o0joEvFixAM3NksWADRdKCk9CQYgVM9zNOa
DXh0RUNhD43gNQ8Jwe8icKkIhPFXnrtPRVpUV1/t3cs1lbKcjZHrKt4d/x4znxEI
75aGuvXDVm1AqzZzCf63IoV6aK+zXYrXHQpNnZAdGBF2tgFHE5+h3wqhv+Hefv+B
UDHD69MsfvzDp2WgjS6KjT1eURd4y0mZ5JgHlReaQhrEW9uehfab5QIxVAonMml3
a3FDrA+KxQrHvh9SQIRZejR9i/imL6FpxaEmpza6xob24kR5/VoGT3Fr2aRI7gu9
EfHccmSQ0RZxVNiZEJsO9W0l0S4=
-----END CERTIFICATE REQUEST-----
% Granted certificate:
-----BEGIN CERTIFICATE-----
MIIC6TCCAlKgAwIBAgIBBjANBgkqhkiG9w0BAQQFADAlMQwwCgYDVQQLEwNUQUMx
FTATBgNVBAMTDENBLmNpc2NvLmNvbTAeFw0xNjA5MjgxOTI1MDBaFw0xNzA5Mjgx
OTI1MDBaMGYxGzAZBgNVBAMTElJBRFNlYy5wb2xhcmlzLmNvbTEMMAoGA1UECxMD
QUFBMRAwDgYDVQQKEwdwb2xhcmlzMQwwCgYDVQQHEwNCTFIxDDAKBgNVBAgTA0tB
UjELMAkGA1UEBhMCSU4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDG
EjhEO2IPtHccmk93BsP8dytMEmgAZ/8TuJLxfTO1k8Zbs7Qa4TrSwmUrDV/teNkR
ltRwWKNyg2ECqLdlKX3/FmkSuRvpWbvxlFuZzXYXxnhCR7zzndtQ0FdrHVjBo1cL
+7FUnH0wq+NI6dbfcFSt2PWoOP30lYI3tMm3P9j57LB3dPFCCWjkNInWSBwcrgp5
SlCtuusWKBfyD4twnmc5NXgo608mPFm/nu/YB9TI6Dhs9D5cbiyM76TqV5lD21HQ
D4nAESEa7lghEach/mYTbeEs/6zP6rDhRzwmVLm5+fXAxCa7JlUUu4XAgdJQPGar
ys+bQLG04A7osJYSTLCNAgMBAAGjZDBiMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsG
A1UdDwQEAwIF4DAfBgNVHSMEGDAWgBQBmz2aIcKIh4Glb9pzra0Ov1erkzAdBgNV
HQ4EFgQUY6Rk95CJvaL5jj1UDvrUCAP2hNEwDQYJKoZIhvcNAQEEBQADgYEASKNu
ckM9C3VVow6CdtyoMYbjZ4jcU5JoMl2PCczDKhKVEN5eVbCjUPaxZir+yO2fnwin
FEQO94JzGaMiO3I9AcPoDg2Y0i6haTj3MT8S9aAFgqlgCCe0Af34DzSAjgFfOGGJ
5MSaTTyejM7igt6Wu9yQKMV8bwlniuIsQRk7y4k=
-----END CERTIFICATE-----
AAA_UUT_ASR#
4. Save the certificate to a file
5. Under CSR tab in ISE, select the CSR and click on "Bind certificate"
6. Upload the certificate saved in step 4 and select "EAP-TLS and RADIUS-DTLS"
7. Execute below command on CA Server to export the CA certificate
AAA_UUT_ASR(config)#crypto pki export cisco pem terminal
% The specified trustpoint is not enrolled (cisco).
% Only export the CA certificate in PEM format.
% CA certificate:
-----BEGIN CERTIFICATE-----
MIICIzCCAYygAwIBAgIBATANBgkqhkiG9w0BAQQFADAlMQwwCgYDVQQLEwNUQUMx
FTATBgNVBAMTDENBLmNpc2NvLmNvbTAeFw0xNjA5MTgyMjEyMjNaFw0xOTA5MTgy
MjEyMjNaMCUxDDAKBgNVBAsTA1RBQzEVMBMGA1UEAxMMQ0EuY2lzY28uY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkoG0ReVBkml0ZMw/DqlpxvSNbiHND
ks4VSqK2ALHiQ51dlXOWBRofE7tWKKoXbqWp6IkMkF2gc9XTJ9dlCRaXvlMx3Brv
wmTHS99kx/+EaXn0KG+d7aCSspx+Ig72fKv9eWfa6dxdvlKJXPvtzZktHH8Ts5tG
L7Ho1LddlDL6CQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
AwIBhjAfBgNVHSMEGDAWgBQBmz2aIcKIh4Glb9pzra0Ov1erkzAdBgNVHQ4EFgQU
AZs9miHCiIeBpW/ac62tDr9Xq5MwDQYJKoZIhvcNAQEEBQADgYEAGMN2cVpc4gwj
kdezyXccG9/l8g3tN0hoGRQ3gdQUGHvCiU3sapw52iQztLmpbW0W/BGlK/csLTfY
3Plh14EST5n8Eb2cHx4neq9rZygXJ7zJE2PdWfBqqjUulMANaK9nw5PDFRocwpHG
Wu8i/I6WJ4WuPmZ5bjV4UCnif6Bn/QA=
-----END CERTIFICATE-----
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#
8. Save above certificate and add it under "Trusted certificates" in ISE
2. Save the CSR in.pem format
3. Follow below step
AAA_UUT_ASR#crypto pki server cisco request pkcs10 terminal pem
PKCS10 request in base64 or pem
% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.
% End with a blank line or "quit" on a line by itself.
-----BEGIN CERTIFICATE REQUEST-----
MIIDEDCCAfgCAQAwZjEbMBkGA1UEAxMSUkFEU2VjLnBvbGFyaXMuY29tMQwwCgYD
VQQLEwNBQUExEDAOBgNVBAoTB3BvbGFyaXMxDDAKBgNVBAcTA0JMUjEMMAoGA1UE
CBMDS0FSMQswCQYDVQQGEwJJTjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAMYSOEQ7Yg+0dxyaT3cGw/x3K0wSaABn/xO4kvF9M7WTxluztBrhOtLCZSsN
X+142RGW1HBYo3KDYQKot2Upff8WaRK5G+lZu/GUW5nNdhfGeEJHvPOd21DQV2sd
WMGjVwv7sVScfTCr40jp1t9wVK3Y9ag4/fSVgje0ybc/2PnssHd08UIJaOQ0idZI
HByuCnlKUK266xYoF/IPi3CeZzk1eCjrTyY8Wb+e79gH1MjoOGz0PlxuLIzvpOpX
mUPbUdAPicARIRruWCERpyH+ZhNt4Sz/rM/qsOFHPCZUubn59cDEJrsmVRS7hcCB
0lA8ZqvKz5tAsbTgDuiwlhJMsI0CAwEAAaBlMGMGCSqGSIb3DQEJDjFWMFQwCwYD
VR0PBAQDAgXgMB0GA1UdDgQWBBTaOaPuXmtLDTJVv++VYBiQr9gHCTATBgNVHSUE
DDAKBggrBgEFBQcDATARBglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQELBQAD
ggEBALUCoU+8+TlmojJYjH+aWq/60o0joEvFixAM3NksWADRdKCk9CQYgVM9zNOa
DXh0RUNhD43gNQ8Jwe8icKkIhPFXnrtPRVpUV1/t3cs1lbKcjZHrKt4d/x4znxEI
75aGuvXDVm1AqzZzCf63IoV6aK+zXYrXHQpNnZAdGBF2tgFHE5+h3wqhv+Hefv+B
UDHD69MsfvzDp2WgjS6KjT1eURd4y0mZ5JgHlReaQhrEW9uehfab5QIxVAonMml3
a3FDrA+KxQrHvh9SQIRZejR9i/imL6FpxaEmpza6xob24kR5/VoGT3Fr2aRI7gu9
EfHccmSQ0RZxVNiZEJsO9W0l0S4=
-----END CERTIFICATE REQUEST-----
% Granted certificate:
-----BEGIN CERTIFICATE-----
MIIC6TCCAlKgAwIBAgIBBjANBgkqhkiG9w0BAQQFADAlMQwwCgYDVQQLEwNUQUMx
FTATBgNVBAMTDENBLmNpc2NvLmNvbTAeFw0xNjA5MjgxOTI1MDBaFw0xNzA5Mjgx
OTI1MDBaMGYxGzAZBgNVBAMTElJBRFNlYy5wb2xhcmlzLmNvbTEMMAoGA1UECxMD
QUFBMRAwDgYDVQQKEwdwb2xhcmlzMQwwCgYDVQQHEwNCTFIxDDAKBgNVBAgTA0tB
UjELMAkGA1UEBhMCSU4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDG
EjhEO2IPtHccmk93BsP8dytMEmgAZ/8TuJLxfTO1k8Zbs7Qa4TrSwmUrDV/teNkR
ltRwWKNyg2ECqLdlKX3/FmkSuRvpWbvxlFuZzXYXxnhCR7zzndtQ0FdrHVjBo1cL
+7FUnH0wq+NI6dbfcFSt2PWoOP30lYI3tMm3P9j57LB3dPFCCWjkNInWSBwcrgp5
SlCtuusWKBfyD4twnmc5NXgo608mPFm/nu/YB9TI6Dhs9D5cbiyM76TqV5lD21HQ
D4nAESEa7lghEach/mYTbeEs/6zP6rDhRzwmVLm5+fXAxCa7JlUUu4XAgdJQPGar
ys+bQLG04A7osJYSTLCNAgMBAAGjZDBiMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsG
A1UdDwQEAwIF4DAfBgNVHSMEGDAWgBQBmz2aIcKIh4Glb9pzra0Ov1erkzAdBgNV
HQ4EFgQUY6Rk95CJvaL5jj1UDvrUCAP2hNEwDQYJKoZIhvcNAQEEBQADgYEASKNu
ckM9C3VVow6CdtyoMYbjZ4jcU5JoMl2PCczDKhKVEN5eVbCjUPaxZir+yO2fnwin
FEQO94JzGaMiO3I9AcPoDg2Y0i6haTj3MT8S9aAFgqlgCCe0Af34DzSAjgFfOGGJ
5MSaTTyejM7igt6Wu9yQKMV8bwlniuIsQRk7y4k=
-----END CERTIFICATE-----
AAA_UUT_ASR#
4. Save the certificate to a file
5. Under CSR tab in ISE, select the CSR and click on "Bind certificate"
6. Upload the certificate saved in step 4 and select "EAP-TLS and RADIUS-DTLS"
7. Execute below command on CA Server to export the CA certificate
AAA_UUT_ASR(config)#crypto pki export cisco pem terminal
% The specified trustpoint is not enrolled (cisco).
% Only export the CA certificate in PEM format.
% CA certificate:
-----BEGIN CERTIFICATE-----
MIICIzCCAYygAwIBAgIBATANBgkqhkiG9w0BAQQFADAlMQwwCgYDVQQLEwNUQUMx
FTATBgNVBAMTDENBLmNpc2NvLmNvbTAeFw0xNjA5MTgyMjEyMjNaFw0xOTA5MTgy
MjEyMjNaMCUxDDAKBgNVBAsTA1RBQzEVMBMGA1UEAxMMQ0EuY2lzY28uY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkoG0ReVBkml0ZMw/DqlpxvSNbiHND
ks4VSqK2ALHiQ51dlXOWBRofE7tWKKoXbqWp6IkMkF2gc9XTJ9dlCRaXvlMx3Brv
wmTHS99kx/+EaXn0KG+d7aCSspx+Ig72fKv9eWfa6dxdvlKJXPvtzZktHH8Ts5tG
L7Ho1LddlDL6CQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
AwIBhjAfBgNVHSMEGDAWgBQBmz2aIcKIh4Glb9pzra0Ov1erkzAdBgNVHQ4EFgQU
AZs9miHCiIeBpW/ac62tDr9Xq5MwDQYJKoZIhvcNAQEEBQADgYEAGMN2cVpc4gwj
kdezyXccG9/l8g3tN0hoGRQ3gdQUGHvCiU3sapw52iQztLmpbW0W/BGlK/csLTfY
3Plh14EST5n8Eb2cHx4neq9rZygXJ7zJE2PdWfBqqjUulMANaK9nw5PDFRocwpHG
Wu8i/I6WJ4WuPmZ5bjV4UCnif6Bn/QA=
-----END CERTIFICATE-----
AAA_UUT_ASR(config)#
AAA_UUT_ASR(config)#
8. Save above certificate and add it under "Trusted certificates" in ISE
No comments:
Post a Comment