topic ISE CSR Generation failed in Network Access Control

ISE CSR Generation failed

Ali Koussan — Mon, 11 Mar 2019 04:02:08 GMT

Hi,

I'm trying to generate a CSR on my ISE 1.1.1.268 ,I'm always getting this error "CSR generation failed: Invalid certificate subject DN length "

I followed cisco guide , and I used the ISE FQDN for the CN , but CSR generation is still failing ..

My ISE FQDN is : kam-ise-01.kamcorp.kam.com

here is the certificate subject i have used :

CN=kam-ise-01.kamcorp.kam.com, OU=IT, O=KAM, C=US, S=CA, L=NY

Any help please ..

Jatin Katyal — Sat, 26 Oct 2013 11:42:08 GMT

Could you please try this:

CN=kam-ise-01.kamcorp.kam.com, OU=IT, O=KAM, C=US, ST=CA, L=NY

I corrected the format. I think you were using only S. however the user guide says ST for state.

We have a known bug on this as well where ISE should throw a more meaningful error and say what was wrong

CSCuj28351 ISE complains about DN length when the problem is the format

Symptom:

ISE throws "CSR generation failed" with "Invalid certificate subject DN length" when you create a CSR on ISE

Conditions:

It happens not necessarily when the whole subject is too long but if the format is wrong also

For example if you enter "C=Belgium" instead of "C=BE", you will get this error.

State and country are 2 certificates field that requires code letters and not full name.

Workaround:

Correct your fields to match the right X509 format

~BR
Jatin Katyal

**Do rate helpful posts**

Ali Koussan — Sat, 26 Oct 2013 11:56:25 GMT

100% , This is it .. Thaks for your help .

Jatin Katyal — Sun, 27 Oct 2013 09:39:47 GMT

Good to know

~BR
Jatin Katyal

**Do rate helpful posts**