SAFE Certificate Management Design Guide

Available Languages

Download Options

  • PDF
    (4.7 MB)
    View with Adobe Reader on a variety of devices
Updated:January 11, 2023

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Available Languages

Download Options

  • PDF
    (4.7 MB)
    View with Adobe Reader on a variety of devices
Updated:January 11, 2023
 

 

Overview

In Cisco SAFE, the Management domain includes the management of devices and systems using centralized services for consistent policy deployment, workflow change management and the ability to keep systems patched. The Management coordinates policies, objects, and alerting.

 

DiagramDescription automatically generated

Figure 1.            

SAFE provides the Key to simplify cybersecurity into Secure Places in the Network (PINs) for infrastructure and Secure Domains for operational guidance.

SAFE simplifies security by starting with business flows, then addressing their respective threats with corresponding security capabilities, architectures, and designs. SAFE provides guidance that  is holistic and understandable.

Related image, diagram or screenshot

Figure 2.           SAFE Guidance Hierarchy

 

This operations design guide contains instructions for certificate management required by the Zero Trust: Network and Cloud Security design guide.

This guide is focused on Active Directory (AD) as an external certificate authority (CA). The guidance is provided for configuring certificates on security components that integrate with the Platform Exchange Grid (pxGrid) provided by Identity Services Engine (ISE). Guidance is also provided on how to setup Administrator certificates.

Certificate Management

Create Externally Signed ISE Certificates for pxGrid and Admin Services

Integrating Secure Firewall with pxGrid requires that the Firewall Management Center (FMC) trust the root CA used to sign the ISE MNT server Admin certificate and the ISE pxGrid certificate.

This section will cover

      how to use ISE to generate Certificate Signing Requests (CSRs) for the pxGrid and Admin certificates

      the process of creating a template for the CSRs in AD

      the process for generating certificates from the CSRs in AD

      the process for adding the CA root certificate as a trusted CA in ISE.

Active Directory Certificate Authority: Export a Root Certificate

The external CA root certificate should be trusted in ISE before importing any certificates signed by the external CA.

Step 1.         To export a root certificate from an Active Directory CA, Access the CA server by appending /certsrv/ to the AD server hostname, e.g.

      adserver.example.com

      adserver.example.com/certsrv/

 

Graphical user interface, text, application, emailDescription automatically generated

Step 2.         Click the Download a CA certificate, certificate chain, or CRL option.

Graphical user interface, text, application, emailDescription automatically generated

Step 3.         Set the encoding method if desired, then click Download CA certificate.

Graphical user interface, text, application, emailDescription automatically generated

ISE: Add an External Certificate to the Trusted Certificate Store

Step 1.         Within ISE, click the Menu icon (page21image42869280) and navigate to Administration à System à Certificates.

Step 2.         Click on Trusted Certificates, then click Import.

Graphical user interface, text, applicationDescription automatically generated

Step 3.         Select Choose File and upload the root certificate collected previously. Enter a Friendly Name, Description, and set the Trusted For fields for the certificate (this example uses the default setting for authentication within ISE, but more options can be checked). Click Submit.

Graphical user interface, text, application, emailDescription automatically generated

Step 4.         Use the filter option to search for the friendly name and verify that the certificate has been imported.

Graphical user interface, applicationDescription automatically generated

Additionally, the View and Export options can be used to check hash and certificate details for any uploaded certificate.

Graphical user interface, applicationDescription automatically generated

 

Active Directory: Create a Client and Server Authentication Template

The default ISE certificates for pxGrid and Admin are configured for both Client Authentication and Server Authentication. However, Active Directory does not have a default template to create certs with both Client and Server Authentication. This section covers how to create a CA template that will produce certificates with the Client Auth and Server Auth fields.

Step 1.         Access Active Directory, open Server Manager, then select Tools à Certificate Authority.

Graphical user interfaceDescription automatically generated with medium confidence

Step 2.         Expand the CA server dropdown on the left menu, select Certificate Templates, right-click the empty space in the right side of the window, then select Manage.

Graphical user interface, text, applicationDescription automatically generated

Step 3.         Select the Web Server template, right-click it, then click Duplicate Template.

Graphical user interface, application, tableDescription automatically generated

Step 4.         Certification Authority and Certificate Recipient can be changed if desired or left at the default of 2003 for greatest compatibility. Click Apply if changes were made.

Graphical user interface, applicationDescription automatically generated

Step 5.         Click on the Extensions tab, leave Application Policies selected, then click the Edit button.

Graphical user interface, text, applicationDescription automatically generated

Step 6.         Click the Add button.

Note:      Server Authentication is added by default.

Graphical user interface, text, applicationDescription automatically generated

Step 7.         Select Client Authentication and click OK.

Graphical user interface, text, applicationDescription automatically generated

Step 8.         Confirm that both Client Authentication and Server Authentication are now listed. Click OK.

Graphical user interface, text, applicationDescription automatically generated

Step 9.         Optional: while still on the Extensions tab, select Key Usage and click Edit.

Graphical user interface, text, applicationDescription automatically generated

Step 10.      Enable nonrepudiation and encryption of user data. Click OK.

Graphical user interface, applicationDescription automatically generated

Step 11.      Click Apply.

Graphical user interface, text, applicationDescription automatically generated

Step 12.      Click on the Subject Name tab and verify that ‘Supply in the request’ is selected. If it is not, select it. Click OK.

Graphical user interface, text, applicationDescription automatically generated

Step 13.      Right click on the newly created copy and select Change Names.

Graphical user interface, tableDescription automatically generated

Step 14.      Set a name, then click OK.

Graphical user interface, text, applicationDescription automatically generated

Step 15.      Close the Certificate Templates Console.

Related image, diagram or screenshot

Step 16.      Back on the Certificate Templates page, right-click the empty space in the right window and select New à Certificate Template to Issue.

Graphical user interface, text, applicationDescription automatically generated

Step 17.      Select the template created previously and click OK.

Graphical user interface, text, applicationDescription automatically generated

Step 18.      Verify the new template now appears in the list of Certificate Templates.

Graphical user interface, text, application, emailDescription automatically generated

ISE: Generate Certificate Signing Request for the pxGrid Role

Step 1.         In the Cisco ISE Graphical User Interface (GUI), click the Menu icon (page51image131180496) and choose Administration à System à Certificates.

Step 2.    Click on Certificate Signing Requests in the left menu.

Graphical user interface, text, applicationDescription automatically generated

Step 2.         Click the Generate Certificate Signing Requests button.

Graphical user interface, text, applicationDescription automatically generated

Step 3.         Set the Certificate Usage to pxGrid, fill in Subject information, set SAN fields, and review Key Type, Length, and Digest. Click Generate when finished.

Note:      ISE does not allow multiple certificates with the same Subject fields. In the example below, pxGrid is set as the OU to create a unique Subject combination.

Graphical user interface, application, TeamsDescription automatically generatedGraphical user interface, text, applicationDescription automatically generated

Step 4.         Export the CSR file.

Graphical user interface, text, application, chat or text message, emailDescription automatically generated

ISE: Generate Certificate Signing Request for the Admin Role

Step 1.         Continuing from the prior section (Administration à System à Certificates à Certificate Signing Requests) click the Generate Certificate Signing Requests button.

Graphical user interface, text, applicationDescription automatically generated

Step 2.         Set the Certificate Usage to pxGrid, fill in Subject information, set SAN fields, and review Key Type, Length, and Digest. Click Generate when finished.

Note:      ISE does not allow multiple certificates with the same Subject fields. In the example below, Admin is set as the OU to create a unique Subject combination.

Graphical user interface, application, TeamsDescription automatically generated

Graphical user interface, applicationDescription automatically generated

Step 3.         Export the file.

Graphical user interface, text, application, chat or text messageDescription automatically generated

Active Directory: Create Certificates from Certificate Signing Requests

Before starting this section, generate CSRs using the steps in the prior section (or other methods such as OpenSSL, if preferred).

Step 1.         Access the CA server by appending /certsrv/ to the AD server hostname, e.g.

      adserver.example.com

      adserver.example.com/certsrv/

Step 2.         From the CA server, click the Request a certificate link.

Graphical user interface, text, application, emailDescription automatically generated

Step 3.         Select the advanced certificate request option.

TextDescription automatically generated

The advanced certificate request page prompts for entry of a CSR in text format.

Graphical user interface, applicationDescription automatically generated

Step 4.         Locate the CSR file to upload and open with a text editor (right-click the CSR file and select ‘Open with…’ if the CSR is not associated with a text editor by default).

Graphical user interface, applicationDescription automatically generated

Step 5.         Copy the entire block of text starting with the BEGIN line and ending with the END line.

A picture containing textDescription automatically generated

Step 6.         Return to the CA server and paste the copied text into the Request field. Set the Certificate Template to the one configured in the prior Create a Client and Server Authentication Template section. Click Submit.

Graphical user interface, text, applicationDescription automatically generated

Step 7.         Select Base 64 encoded and click either the Download certificate or Download certificate chain option. It is recommended to rename the file to denote the certificate type (in this case, the Admin certificate). This example uses the ‘Download certificate’ option for simplicity, as AD generates the certificate in .cer format, which can be imported directly into ISE. The chain option generates the certificate in .p7b format, which requires conversion to an ISE compatible format via OpenSSL.

Graphical user interface, text, applicationDescription automatically generated

Step 8.         Repeat the above steps to generate the pxGrid certificate, which also uses the client_and_server_auth template.

Windows: Verify Certificate Details

Step 1.         Double click the newly created certificate to open it.

Note:      Only the .cer format will open using this method; the .p7b format created from the chain option will not.

 

Graphical user interface, text, applicationDescription automatically generated

Step 2.         If a Security Warning prompt appears, click Open.

Graphical user interface, text, application, emailDescription automatically generated

Step 3.         Click the Details tab and select Enhanced Key Usage. Verify that both Client Authentication and Server Authentication are available. Click OK to close.

Graphical user interface, text, applicationDescription automatically generated

ISE: Bind Certificates to CSR Requests and Assign Certs to Roles

Before starting, note that changing the Admin certificate will cause the application server to restart.

Step 1.         Click the Menu icon (page21image42869280) and navigate to Administration à System à Certificates.

Step 2.         Click on Certificate Signing Requests.

Graphical user interface, text, applicationDescription automatically generated

Step 3.         Locate the CSRs created in the Generate Certificate Signing Requests step. Check the box next to the Admin entry, then click Bind Certificate (the bind action will bind the generated certificate to the private key ISE created when the CSR was made).

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 4.         Click the Choose File button and upload the Admin Certificate created in the Create Certificates from CSRs step. Enter a Friendly Name for the certificate and check the Validate Certificate Extensions box. Click Submit.

Graphical user interface, text, application, emailDescription automatically generated

Step 5.         An alert will appear stating that changing the Admin certificate will restart the application server. If a service outage is currently acceptable for the node, select Yes. If not, click No and reschedule for a change window.

Graphical user interface, applicationDescription automatically generated

Step 6.         To verify when the Application Server is up, access the ISE node Command Line Interface (CLI) and run the command ‘show application status ise’. The screenshot below shows output for the Application Server in an Initializing state.

TextDescription automatically generated

Once the Application Server has fully restarted, the State will change to running.

Graphical user interfaceDescription automatically generated with medium confidence

Step 7.         Repeat the steps above to import the pxGrid certificate, which does not require a restart of the Application Server.

Step 8.         Verify the uploaded certificates by clicking on the System Certificates link and confirming the Friendly Name and certificate details of the uploaded certificates.

Graphical user interface, text, application, emailDescription automatically generated

ISE: Export an ISE Root Certificate

While using an external CA is recommended, ISE does have CA capability that can be used in the absence of an outside CA. This section details how to locate and export the ISE root certificate.

Step 1.         Click the Menu icon (page21image42869280) and navigate to Administration à System à Certificates.

Step 2.         Expand Certificate Authority, then select Certificate Authority Certificates on the left menu.

Graphical user interface, text, application, emailDescription automatically generated

Step 3.         Check the box next to the Certificate Services Root CA, click Export, and download the file.

Graphical user interface, applicationDescription automatically generated

Active Directory: Distribute Machine Certificates via Group Policy Object

The certificates created and distributed in this step can be used for a machine authorization check in ISE. The AD Certificate Authority has a preconfigured certificate template labelled ‘Computer’ that creates certificates with client and server authentication. However, since we will only be using these certificates for client authentication, we will first create a new template that only has client auth set.

Step 1.         Configure Group Policy

Step 2.         Click on Tools à Group Policy Management.

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 3.         Right click on the target domain and click ‘Create a GPO in this domain’.

Graphical user interface, text, applicationDescription automatically generated

Step 4.         Enter a name and click OK.

Graphical user interface, applicationDescription automatically generated

Step 5.         Right click on the newly created GPO and click edit.

Graphical user interface, applicationDescription automatically generated

Step 6.         Expand the tree to Computer Configuration à Policies à Windows Settings à Security Settings then click Public Key Policies. Double click on Certificate Services Client – Auto-Enrollment.

Graphical user interface, text, applicationDescription automatically generated

Step 7.         Set Configuration Model to Enabled and check the boxes to renew and update certificates. Click Apply, then click OK.

Graphical user interface, text, application, emailDescription automatically generated

Step 8.         Right click on Automatic Certificate Request Settings, select New, then select Automatic Certificate Request.

Graphical user interface, text, applicationDescription automatically generated

Step 9.         Click Next.

Graphical user interface, application, WordDescription automatically generated

Step 10.      Select the Computer template, then click Next.

Graphical user interface, text, applicationDescription automatically generated

Step 11.      Click Finish.

Graphical user interface, applicationDescription automatically generated

Step 12.      Close the Group Policy windows. From the AD CS, launch a command line and run gpupdate /force.

TextDescription automatically generated

Step 13.      Access the Windows workstation that is to receive the certificate and run command line as administrator, entering the same gpupdate /force command as above.

Graphical user interfaceDescription automatically generated

 

TextDescription automatically generated

Verify Certificate Install

Step 1.         From the Windows host, type ‘cert’ into the search bar and select ‘Manage computer certificates’.

A screenshot of a computerDescription automatically generated with medium confidence

Step 2.         Expand the dropdown on the Personal folder and click on Certificates. Identify the machine certificate in the right pane and double click on it.

Graphical user interface, text, application, emailDescription automatically generated

Step 3.         The certificate should have a name that corresponds to the device name and a local private key.

Graphical user interface, text, application, emailDescription automatically generated

Step 4.         Click on the Details tab and scroll down to Enhanced Key Usage. Verify that the certificate has Client Authentication.

Graphical user interface, text, applicationDescription automatically generated

Step 5.         Click on the Certification Path tab and verify the certificate chain. The root certificate and any intermediate certificates need to be trusted in ISE. Click OK.

Graphical user interface, text, applicationDescription automatically generated

Appendix

Appendix A – Acronyms Defined

Acronym

Definition

CA

Certificate Authority

CSR

Certificate Service Request

GPO

Group Policy Object

GUI

Graphical User Interface

ISE

Identity Services Engine

pxGrid

Cisco Platform Exchange Grid

Appendix B – References

      Cisco Zero Trust Architecture Guide

      Zero Trust Frameworks Guide

      Cisco Zero Trust: User and Device Security Design Guide

      Cisco SAFE

      Cisco pxGrid

 

Appendix C - Feedback

If you have feedback on this design guide or any of the Cisco Security design guides, please send an email to ask-security-cvd@cisco.com.

 

 

Learn more