Certificate Issuer
|
Friendly Name
|
Enter a friendly name for the certificate. This is an optional field. If you do not enter a friendly name, a default name
is generated in the following format:
common-name#issuer#nnnnn
|
Status
|
Choose Enabled or Disabled from the drop-down list. If the certificate is disabled, Cisco ISE will not use the certificate for establishing trust.
|
Description
|
(Optional) Enter a description.
|
Usage
|
Trust for authentication within ISE
|
Check this check box if you want this certificate to verify server certificates (from other Cisco ISE nodes or LDAP servers).
|
Trust for client authentication and Syslog
|
(Applicable only if you check the Trust for authentication within ISE check box) Check the check box if you want this certificate to be used to:
|
Trust for certificate based admin authentication
|
You can check this check box only when Trust for client authentication and Syslog is selected.
Check this check box to enable usage for certificate-based authentications for admin access. Import the required certificate
chains into the Trusted Certificate store.
|
Trust for authentication of Cisco Services
|
Check this check box if you want this certificate to be used to trust external Cisco services such as the Feed Service.
|
Certificate Status Validation
|
Cisco ISE supports two ways of checking the revocation status of a client or server certificate that is issued by a particular
CA. The first way is to validate the certificate using the Online Certificate Status Protocol (OCSP), which makes a request
to an OCSP service maintained by the CA. The second way is to validate the certificate against a CRL which is downloaded from
the CA into Cisco ISE. Both of these methods can be enabled, in which case OCSP is used first and only if a status determination
cannot be made then the CRL is used.
|
Validate Against OCSP Service
|
Check the check box to validate the certificate against OCSP services. You must first create an OCSP Service to be able to
check this box.
|
Reject the request if OCSP returns UNKNOWN status
|
Check the check box to reject the request if certificate status is not determined by the OCSP service. If you check this check
box, an unknown status value that is returned by the OCSP service causes Cisco ISE to reject the client or server certificate
currently being evaluated.
|
Reject the request if OCSP Responder is unreachable
|
Check the check box for Cisco ISE to reject the request if the OCSP Responder is not reachable.
|
Download CRL
|
Check the check box for the Cisco ISE to download a CRL.
|
CRL Distribution URL
|
Enter the URL to download the CRL from a CA. This field is automatically populated if it is specified in the certificate authority
certificate. The URL must begin with “http”, “https”, or “ldap.”
|
Retrieve CRL
|
The CRL can be downloaded automatically or periodically. Configure the time interval between downloads.
|
If download failed, wait
|
Configure the time interval that Cisco ISE must wait Cisco ISE tries to download the CRL again.
|
Bypass CRL Verification if CRL is not Received
|
Check this check box, for the client requests to be accepted before the CRL is received. If you uncheck this check box, all
client requests that use certificates signed by the selected CA will be rejected until Cisco ISE receives the CRL file.
|
Ignore that CRL is not yet valid or expired
|
Check this check box if you want Cisco ISE to ignore the start date and expiration date and continue to use the not yet active
or expired CRL and permit or reject the EAP-TLS authentications based on the contents of the CRL.
Uncheck this check box if you want Cisco ISE to check the CRL file for the start date in the Effective Date field and the
expiration date in the Next Update field. If the CRL is not yet active or has expired, all authentications that use certificates
signed by this CA are rejected.
|