ISE Certificates with Let's Encrypt

Cisco ISE TME Charlie Moreton shows how to automate certificate provisioning to ISE with Let's Encrypt. 🕒 Topics: 00:00 Intro & Agenda 01:05 Terminology 01:32 Identity and Digital Certificates 03:21 Certificate Heirarchies: Root, Intermediate, Entity 04:57 Certificate History with X.509v3 Standard 08:15 Certificate Attributes breakdown 11:16 Encoding: DER, PEM, PKCS 12:40 Public Key Cryptography Standards (PKCS) #7,8,12 14:47 Public Key Infrastructures (PKIs) 18:35 Root Certificate Authorities (CAs) 19:29 Certificate Signing Request (CSR) 22:32 Expiration 23:06 Automatic Certificate Management Environment (ACME) 24:16 Certificate Lifespans shortening to 47 days by 2029 27:37 Automated Certificate Renewal with certbot and Ansible https://github.com/ISEDemoLab/ISE_Certificates_with_Lets_Encrypt ``` crontab –e #minute hour dom month dow command 30 00 1 * * “sudo certbot renew” 00 01 1 * * “~/Labs/playbooks/import_lets_encrypt_certificates_on_ise.yaml” ``` 29:44 Demo: Untrusted Self-Signed Certificates on PAN and Portals 30:39 Demo: Install Certificates with Ansible 32:20 Oops! Charlie used the same ISE PPAN for both testing and the Live Demo and Chrome's enforcement of HSTS (HTTP Strict Transport Security) caused a failure since the certificate had changed on the node multiple times. After the webinar ended, Charlie accessed ISE using Firefox and a secure connection was established properly using HTTPS. 33:16 Demo: Validation of Updated Certificates 36:32 Demo: Review Ansible script to import certificates into ISE Resources - https://letsencrypt.org - https://certbot.eff.org/instructions - https://github.com/ISEDemoLab/ISE_Certificates_with_Lets_Encrypt - RFC 2315 PKCS #7: Cryptographic Message Syntax: https://www.rfc-editor.org/rfc/rfc2315 - RFC 5208 PKCS #8: Private-Key Information Syntax Specification: https://www.rfc-editor.org/rfc/rfc5208 - RFC 7292 PKCS #12: Personal Information Exchange Syntax: https://www.rfc-editor.org/rfc/rfc7292 - RFC 5280 Internet X.509 Public Key Infrastructure Certificate and CRL Profile: https://www.rfc-editor.org/rfc/rfc5280 - Using Let's Encrypt Certificates with Cisco ISE: https://community.cisco.com/t5/security-knowledge-base/using-let-s-encrypt-certificates-with-cisco-ise/ta-p/5090885 - Automatic ISE Portal Certificate Renew with Letsencrypt - how to guide: https://community.cisco.com/t5/security-knowledge-base/automatic-ise-portal-certificate-renew-with-letsencrypt-how-to/ta-p/5271822