EJBCA and Cisco ISE

Cisco Identity Services Engine (ISE) enables a dynamic and automated approach to policy enforcement that simplifies the delivery of highly secure network access control.

Configuring EJBCA as a backend CA in Cisco ISE allows devices to enroll with certificates from EJBCA, through the ISE enrollment interfaces. For more information on EJBCA SCEP in RA Mode, see SCEP.

For internal reasons, ISE configured as a SCEP Proxy puts a device MAC Address in the SAN RFC822 Email Field which violates RFC822: Standard for the format of ARPA Internet text messages. As a result, EJBCA will by default reject the CSR.

To allow EJBCA to accept the CSR coming from the Cisco ISE application, disable End Entity Profile Limitations in the EJBCA System Configuration. This option restricts the values that can be used when adding or editing an end entity.

To disable End Entity Profile Limitations:

  1. In EJBCA, select the System Configuration menu option.
  2. Disable the End Entity Profile Limitation option.

EJBCA will now accept the CSR coming from the ISE application and sign the request. 

Note that disabling the End Entity Profile Limitation option will affect all profiles and it is therefore recommended to verify that this is acceptable for any other profiles and CAs in your installation, or have a separate EJBCA installation to support the ISE application.

For more information on EJBCA End Entity Profiles, see End Entity Profiles Overview.