The Cisco ISE must use DoD-approved PKI rather than proprietary or self-signed device certificates.
An XCCDF Rule
Description
<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs. The Cisco ISE generates a key-pair and a CSR. The CSR is sent to the approved CA, who signs it and returns it as a certificate. That certificate is then installed. The process to obtain a device PKI certificate requires the generation of a Certificate Signing Request (CSR), submission of the CSR to a CA, approval of the request by an RA, and retrieval of the issued certificate from the CA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-242639r879887_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Replace the self-signed certificate with a CA-signed certificates for greater security. To obtain a CA-signed certificate:
A. Generate a certificate signing request (CSR) to obtain a CA-signed certificate for the nodes in your deployment.
1. Choose Administration >> System >> Certificates >> Certificate Signing Requests.
2. Enter the values for generating a CSR.
Examples: