Why pxGrid Can No Longer Use Public CA Certificates

If you use Let's Encrypt or another public CA to sign certificates for Cisco pxGrid, you have a problem on the horizon. A change driven by Google Chrome's root program requirements is eliminating TLS Client Authentication from public CA certificates — and pxGrid depends on exactly that.

Here's what's happening and what it means for your ISE deployment.

What Is pxGrid?

Cisco pxGrid (Platform Exchange Grid) is a publish/subscribe framework built into ISE that allows security platforms to share context in real time. SIEMs, firewalls, threat intelligence platforms, and XDR solutions use pxGrid to consume ISE session data and to push policy changes back into ISE.

Because pxGrid exposes sensitive network context and allows policy manipulation, the connections it brokers are mutually authenticated with TLS certificates. Both sides of a pxGrid connection — ISE and the connecting client (e.g., FMC) — present certificates to prove their identity. This is mutual TLS (mTLS), and it's not optional.  Note that this trust must be fully meshed — every pxGrid participant must trust ISE and every other participant. Using a single CA for all pxGrid certificates is the established best practice precisely because it makes that mesh manageable.

Two Kinds of Certificate Purposes

Not all TLS certificates are created equal. Every certificate carries a list of permitted uses called Extended Key Usages (EKUs). The two relevant ones here are:

• TLS Server Authentication — authenticates a server to a connecting client. This is what HTTPS websites use.
• TLS Client Authentication — authenticates a client to a server. This is what pxGrid clients use when connecting to ISE.

Most public CA certificates have historically included both EKUs. That's changing.

The Google Chrome Deadline

Google Chrome's Root Program Policy, which governs which CAs are trusted by Chrome, has imposed a June 2026 deadline requiring public CAs to separate TLS Client and Server Authentication into distinct PKI hierarchies. The rationale is security hygiene: a certificate trusted for authenticating servers to millions of users probably shouldn't also be usable to authenticate arbitrary clients to arbitrary servers.

What This Means for pxGrid

pxGrid clients — your SIEM, your firewall, your XDR platform — present a certificate to ISE when establishing a connection. ISE validates that certificate, and part of that validation is confirming the certificate carries the Client Authentication EKU. Without it, the connection fails.

If you are currently using public CA-signed certificates for your pxGrid integrations, those certificates will stop working for this purpose as renewals occur post-deadline. You won't be able to get new public CA certificates with the Client Authentication EKU after May 2026.

The Fix: Use a Private CA

This is actually the model Cisco has always recommended for pxGrid, and for good reason — pxGrid is an internal fabric, not a public-facing service. It doesn't need to be trusted by a browser.

ISE's built-in CA is the most straightforward path, and the one Cisco has recommended since ISE 2.1. If your organization already operates a private enterprise CA (e.g., Microsoft AD CS), that works equally well.

Regardless, when generating or validating pxGrid certificates, confirm the following extensions are present: Key Usage must include Digital Signature and Key Encipherment; Extended Key Usage must include both Client Authentication and Server Authentication. A certificate missing any of these will be rejected by ISE.

Takeaway

Google Chrome's root program changes are reshaping what public CAs can issue. pxGrid's reliance on mutual TLS with Client Authentication EKU certificates means it was never a great fit for public CA certificates to begin with. The upcoming deadline makes that official.

If you're using public CA certificates for pxGrid today, now is the time to migrate to ISE's internal CA or a private enterprise CA. The deadline is June 2026, but certificate renewals may trigger the issue sooner.

Please reach out with any questions or comments you might have.