This post will look at configuring a Windows Active Directory CA server with a certificate template for use with ISE that enables both ‘client authentication’, and ‘server authentication’ key usage.
We have a simple network topology with a single ISE node, single Windows server, and a single Windows client machine.
MMC
Open the MMC, I did this logged into the DC as Administrator, add the Certificate Templates, Certificates – Current User, and Certificate Authority snap-ins.
Add a Certificate Template
Click on the Certificate Templates snap-in, right-click the default web server template and select ‘duplicate’. Change the name of the template in the General tab. On the ‘extensions’ tab edit Application Policies and add both client and server authentication.
Issue the Certificate Template
Select the CA snap-in, right-click Certificate Templates and then New -> Certificate Template to Issue, select the ISE certificate you have just created.
The template should now be available when accessing the AD certificate services web page. Select the option to submit and advanced certificate request -:
The the new ISE template should appear in the ‘Certificate Template’ drop down, CSRs generated from ISE should be requested using this template. -: