Phase 5: Certificate Issuance
Phase 5: Certificate Issuance (DOMUS PKI)
Issue Admin/EAP Certificate from Workstation
dsource d000 dev/vault
vault write pki_int/issue/domus-server \
common_name="ise-01.inside.domusdigitalis.dev" \
ip_sans="10.50.1.20" \
ttl="8760h" \
-format=json > /dev/shm/ise-01-cert.jsonExtract Components
jq -r '.data.certificate' /dev/shm/ise-01-cert.json > /dev/shm/ise-01.crt
jq -r '.data.private_key' /dev/shm/ise-01-cert.json > /dev/shm/ise-01.key
jq -r '.data.ca_chain[]' /dev/shm/ise-01-cert.json > /dev/shm/ise-01-chain.pemSplit CA Chain
cd /dev/shm
awk '/-----BEGIN CERTIFICATE-----/{n++} n==1' ise-01-chain.pem > DOMUS-ISSUING-CA.pem
awk '/-----BEGIN CERTIFICATE-----/{n++} n==2' ise-01-chain.pem > DOMUS-ROOT-CA.pemVerify Before Import
openssl x509 -in /dev/shm/ise-01.crt -noout -subject -issuer -dates
openssl x509 -in DOMUS-ISSUING-CA.pem -noout -subject
openssl x509 -in DOMUS-ROOT-CA.pem -noout -subjectsubject=CN=ise-01.inside.domusdigitalis.dev issuer=CN=DOMUS-ISSUING-CA subject=CN=DOMUS-ISSUING-CA subject=C=US, O=Domus Digitalis, OU=Enterprise PKI, CN=DOMUS-ROOT-CA
Import to ISE GUI (10.50.1.20/admin)
|
Import Trusted CAs BEFORE the System Certificate. ISE validates the chain during import. |
Step 1: Trusted Certificates (Administration → System → Certificates → Trusted Certificates)
-
Import
DOMUS-ROOT-CA.pem-
Friendly Name:
DOMUS-ROOT-CA -
Trust for: authentication within ISE, client authentication, Cisco Services
-
-
Import
DOMUS-ISSUING-CA.pem-
Friendly Name:
DOMUS-ISSUING-CA -
Same trust options
-
Step 2: System Certificate (Administration → System → Certificates → System Certificates)
-
Import:
-
Certificate File:
ise-01.crt -
Private Key File:
ise-01.key -
Password: (empty — unencrypted key)
-
Friendly Name:
DOMUS_ISE_ADMIN_EAP
-
-
Enable for: Admin + EAP Authentication
ISE will restart Admin services — wait 2-3 minutes.
Issue pxGrid Certificate
|
Future enhancement: Create a dedicated Vault role Then issue with: For now, using |
vault write pki_int/issue/domus-server \
common_name="ise-01.inside.domusdigitalis.dev" \
ip_sans="10.50.1.20" \
ttl="8760h" \
-format=json > /dev/shm/ise-01-pxgrid.json
jq -r '.data.certificate' /dev/shm/ise-01-pxgrid.json > /dev/shm/ise-01-pxgrid.crt
jq -r '.data.private_key' /dev/shm/ise-01-pxgrid.json > /dev/shm/ise-01-pxgrid.keyVerify pxGrid Cert Before Import
openssl x509 -in /dev/shm/ise-01-pxgrid.crt -noout -subject -issuer -serial -datessubject=CN=ise-01.inside.domusdigitalis.dev issuer=CN=DOMUS-ISSUING-CA serial=<serial from Vault> notBefore=<today> notAfter=<today + 8760h>
Import to ISE GUI (Administration → System → Certificates → System Certificates → Import):
-
Certificate File:
ise-01-pxgrid.crt -
Private Key File:
ise-01-pxgrid.key -
Friendly Name:
DOMUS_ISE_PXGRID -
Enable for: pxGrid only
|
Hyprland/Wayland file picker hang: The ISE cert import dialog uses the system file picker which delegates to Then refresh the browser. The portal respawns on next file dialog. This may occur on each file import — kill and refresh each time. Alternative: launch Firefox without portal delegation: |
Verify pxGrid Service Cert (Post-Import)
openssl s_client -connect ise-01.inside.domusdigitalis.dev:8910 </dev/null 2>/dev/null \
| openssl x509 -noout -subject -issuer -serial -datessubject=CN=ise-01.inside.domusdigitalis.dev issuer=CN=DOMUS-ISSUING-CA serial=<new serial from Vault> notBefore=<today> notAfter=<today + 8760h>
Secure Cleanup
shred -vfz -n 3 /dev/shm/ise-01* /dev/shm/DOMUS-*.pem
rm -f /dev/shm/ise-01* /dev/shm/DOMUS-*.pemSeal Vault
|
|
# Load vault credentials locally
dsource d000 dev/vault
# Seal — token expands locally, executes remotely
ssh vault-01 "VAULT_ADDR='https://127.0.0.1:8200' VAULT_SKIP_VERIFY=1 VAULT_TOKEN='$VAULT_ROOT_TOKEN' vault operator seal"
|
Verify Certificate Installation
Pre-Import: Confirm Restored Cert (CN mismatch expected)
After restore, ise-01 serves ise-02’s certificate. Verify the mismatch before replacing:
openssl s_client -connect ise-01.inside.domusdigitalis.dev:443 </dev/null 2>/dev/null \
| openssl x509 -noout -subject -issuer -serial -datessubject=CN=ise-02.inside.domusdigitalis.dev <-- mismatch, from restore issuer=CN=DOMUS-ISSUING-CA serial=6420C923AA4E3CC19B431306A6195EA6BEAD2E40 notBefore=Mar 5 21:57:05 2026 GMT notAfter=Mar 5 21:57:35 2027 GMT
Post-Import: Confirm Correct Cert
After importing the new cert, the same command should show the correct CN:
openssl s_client -connect ise-01.inside.domusdigitalis.dev:443 </dev/null 2>/dev/null \
| openssl x509 -noout -subject -issuer -serial -datessubject=CN=ise-01.inside.domusdigitalis.dev <-- correct issuer=CN=DOMUS-ISSUING-CA serial=<new serial from Vault> notBefore=<today> notAfter=<today + 8760h>
Full Chain Verification
openssl s_client -connect ise-01.inside.domusdigitalis.dev:443 -showcerts </dev/null 2>/dev/null \
| grep -E "^(depth|Certificate chain| [0-9]+ s:)"Certificate chain 0 s:CN=ise-01.inside.domusdigitalis.dev 1 s:CN=DOMUS-ISSUING-CA 2 s:C=US, O=Domus Digitalis, OU=Enterprise PKI, CN=DOMUS-ROOT-CA
Verify Against Local CA
openssl s_client -connect ise-01.inside.domusdigitalis.dev:443 \
-CAfile /etc/ssl/certs/DOMUS-ROOT-CA.pem </dev/null 2>&1 \
| grep "Verify return code"Verify return code: 0 (ok)
|
The Use it to audit any TLS endpoint — before and after certificate changes — to confirm the correct cert is being served. |