How to create an intermediate certificate for ISE?

Question

Hello,

I am in the process of setting up EAP authentication for wifi through ISE. In my environment we use Meraki for the wireless infrastructure, ISE for radius and windows server 2019 as a certificate authority.

The following has been done:

1. Downloaded the Base 64 CA certificate from internal CA web enrollment
2. Import the CA certificate into ISE Trusted Certificates
3. Created a CSR in ISE
4. Copied the cert from the CSR pem file to request a certificate in the CA web enrollment. Used the Subordinate Certification Authority template.
5. Downloaded the certificate
6. Bind the certificate to the CSR in ISE for EAP authentication.

In the chain there is the CA root and the ISE server cert. I believe I am missing an intermediate certificate since it doesn't appear to be working.

How can I create an intermediate certificate on windows server 2019 CA? Also should I have used the Subordinate Certification Authority to create this certificate? If not which template should be used in this circumstance?

Thank you

Answer 1

It sounds like you're making solid progress in setting up EAP authentication, but you may indeed have a mismatch in certificate configuration. Let's address your specific queries:

1. Should you have used the "Subordinate Certification Authority" template?

No, the "Subordinate Certification Authority" template is used when creating a certificate for a subordinate CA, not for server authentication purposes. For EAP authentication, the correct certificate template is typically based on the Server Authentication purpose.

The template you should use for ISE in this context is:

• Web Server or RADIUS Server, depending on your CA configuration.
• Ensure the template includes the Server Authentication purpose (OID: 1.3.6.1.5.5.7.3.1).

If your CA does not have a specific RADIUS template, you can customize the Web Server template to meet your needs.

2. How can you create an intermediate certificate on Windows Server 2019 CA?

An intermediate certificate isn't strictly necessary for your current setup unless your organization's certificate hierarchy requires it. If your CA issues certificates directly (i.e., it acts as a root CA), intermediate certificates wouldn't typically come into play. However, here’s how to create an intermediate CA if needed:

Steps to create an intermediate certificate:

Prepare a new server for the intermediate CA (if applicable).

• Install the AD Certificate Services role on the intermediate CA server.
  • Choose "Certificate Authority" and configure it as a Subordinate CA during setup.
  Generate a Certificate Signing Request (CSR):

  - During the CA installation, generate a CSR for the subordinate CA.
  
     - Submit the CSR to the root CA using the "Subordinate Certification Authority" template.
  
     **Issue the intermediate certificate:**
  
        - On the root CA, approve the CSR and issue a certificate using the subordinate CA template.
  
           - Export the issued certificate and import it into the intermediate CA during its setup.
  
           **Publish the Intermediate CA certificate:**
  
              - Publish the intermediate certificate in your environment's **Trusted Certificates** store and ensure it is included in your certificate chain.
  

Alternative Approach:

If you are not explicitly setting up a CA hierarchy, your immediate issue may not require creating a separate intermediate CA. Instead, focus on ensuring the certificate chain for ISE is complete.

---

3. How to resolve the missing intermediate certificate issue?

To ensure proper EAP authentication, the full certificate chain (Root CA → Intermediate CA(s) → ISE Server Certificate) must be trusted by the clients and devices in your environment. If there is a missing intermediate certificate:

Steps to Verify and Resolve:

Check the Certificate Chain:

• Open the ISE server certificate in a tool like Windows Certificate Manager or OpenSSL and examine the chain.
  • Ensure the intermediate certificates are present and correctly link to the root CA.
  Obtain the Intermediate Certificates:

  - On your Windows CA server, export the intermediate certificates from the CA console. This is typically found under:
  
        - **Certification Authority → Issued Certificates** or
  
              - **Certificate Templates → [Template Name]**.
  
                 - Save the intermediate certificate in Base-64 or DER format.
  
                 **Import into ISE Trusted Certificates:**
  
                    - Go to **Administration → Certificates → Trusted Certificates** in Cisco ISE.
  
                       - Import the intermediate certificate(s) to ensure the ISE server certificate chain is complete.
  
                       **Test Client Trust:**
  
                          - Ensure client devices trust the Root CA and Intermediate CA certificates. Deploy them through Group Policy, MDM, or other trust-distribution mechanisms.
  

---

Summary of Correct Configuration:

• Certificate Template for ISE: Use a Web Server or RADIUS Server template with the Server Authentication purpose.
• Certificate Chain: Ensure the ISE certificate chain includes all necessary intermediate certificates and the Root CA.
• Clients: Ensure all devices that connect to Wi-Fi trust the Root and Intermediate CA certificates.

Let me know if you need more details or assistance with any of these steps!