Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ISE Root CA

Hi all,

I have a query on onboarding iOS, Android and windows devices through Cisco ISE.

I understood that we are going to provision and onboard above devices issuing certificates.

Do ISE has Certificate authority where it can generate its own Root CA and Intermediate CA signed by root CA and device certificates signed by intermediate CA i mean profile signing CA???

Or else we need to create CSR and send it to CA to get it signed . then we have to import root, intermediate CA's to ISE. CA's like godaddy ,verisign...when we send CSR .. do they send  root certificate, intermediate certificate and signed certificate??





VIP Purple

HI,After installation, ISE


After installation, ISE generates, by default, a self-signed local certificate and private key, and stores them on the server.  ISE authenticates itself to clients using the default self-signed certificate that is created at the time of installation. This self-signed certificate is used for both HTTPS and EAP protocols to authenticate clients. This self-signed certificate is valid for one year and its key length is set to 1024 bits. At the time of generation, this certificate is used for both EAP and HTTPS protocols.


Cisco strongly recommends installing a CA-signed certificate.(Dont use self generated certificare from ISE).

Process for certificate deployment:see the link:





New Member

Hi Sandeep,Yes i understood

Hi Sandeep,

Yes i understood that. yes i do agree that Self-signed certificate is used l3 authentication and EAp-methods

During provisiong of BYOD's , i understood that client certificate is pushed to perform EAP-TLS(iOS) and credentials for Android (PEAP-MsCHAPV2). As there is no CA capability for ISE how it will issue certificates to client devices???


New Member

Yes, Sandeep is correct. You

Yes, Sandeep is correct. You may also check the below link,

CreatePlease login to create content