https://community.cisco.com/t5/network-access-control/ise-usage-of-subject-serial-number-quot-certificates-serial/m-p/3601537#M520537 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-family: Calibri; font-size: 12pt;">The following gui is under External Identity Sources -&gt; Certificate Authentication Profile. We would like to use the certificates serial number as identity, but the only option I see is “subject – serial number” (see below). It is my understanding that “subject-serial number” does not make sense to our PKI guys (I think that terminology is invalid in their view). We thought maybe it meant the certificates serial number which is what we want, but when I configured it, ISE failed saying the user information couldn’t be retrieved from the certificate. This would make sense if it’s trying to pull it out of the subject field, which is what I think it’s probably doing based on the gui, but the PKI guys would like to know what is “subject – serial number” and is it really a valid thing? Also, is there a way to use the certificate’s serial number as “user” identity to query ldap?</SPAN></P></BODY></HTML> Tue, 24 Oct 2017 15:10:21 GMT jideji 2017-10-24T15:10:21Z https://community.cisco.com/t5/network-access-control/ise-usage-of-subject-serial-number-quot-certificates-serial/m-p/3601537#M520537 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-family: Calibri; font-size: 12pt;">The following gui is under External Identity Sources -&gt; Certificate Authentication Profile. We would like to use the certificates serial number as identity, but the only option I see is “subject – serial number” (see below). It is my understanding that “subject-serial number” does not make sense to our PKI guys (I think that terminology is invalid in their view). We thought maybe it meant the certificates serial number which is what we want, but when I configured it, ISE failed saying the user information couldn’t be retrieved from the certificate. This would make sense if it’s trying to pull it out of the subject field, which is what I think it’s probably doing based on the gui, but the PKI guys would like to know what is “subject – serial number” and is it really a valid thing? Also, is there a way to use the certificate’s serial number as “user” identity to query ldap?</SPAN></P></BODY></HTML> Tue, 24 Oct 2017 15:10:21 GMT https://community.cisco.com/t5/network-access-control/ise-usage-of-subject-serial-number-quot-certificates-serial/m-p/3601537#M520537 jideji 2017-10-24T15:10:21Z https://community.cisco.com/t5/network-access-control/ise-usage-of-subject-serial-number-quot-certificates-serial/m-p/3601538#M520538 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 10pt;">ISE dictionary CERTIFICATE has three serial numbers (attached a screenshot from ISE 2.3 conditions studio):</SPAN></P><P><IMG __jive_id="112478" alt="Screen Shot 2017-10-23 at 9.50.40 PM.png" class="image-1 jive-image" height="200" src="/legacyfs/online/fusion/112478_Screen Shot 2017-10-23 at 9.50.40 PM.png" style="height: 199.52402745995423px; width: 346px;" width="346" /></P><P></P><P><SPAN style="color: #000000; font-family: Helvetica; font-size: 12px;">And, </SPAN><A href="https://community.letsencrypt.org/t/certificates-with-serialnumber-in-subject/11891" style="font-family: Helvetica; font-size: 12px;">Certificates with serialNumber in subject - Server - Let's Encrypt Community Support</A><SPAN style="color: #000000; font-family: Helvetica; font-size: 12px;"> shows that it possible to have the serial number as part of the “Subject”. Our engineering team confirmed that certificate serial number and subject serial number fields are independent. Only the one as part of <STRONG>Subject</STRONG> line will be chosen and used in ISE cert auth profile</SPAN></P><P></P><P style="color: #000000; font-family: Helvetica; font-size: 12px;">The "subject - serial number” very likely differing from the serial number of the certificate issued by the CA. See examples below:</P><UL><LI><A href="https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&amp;actp=CROSSLINK&amp;id=SO18140#Subject">What extensions and details are included in a SSL certificate? | Symantec</A> —&gt; Subject: <SPAN style="font-family: Arial, Helvetica, sans-serif;"><EM>Serial Number (Business Registration Number)</EM></SPAN></LI><LI><A href="https://www.ietf.org/mail-archive/web/pkix/current/msg14588.html">Re: "Subject Alternative Name" v/s "Subject/Serial Number”</A>—&gt; Swedish national identity number.<P></P></LI></UL></BODY></HTML> Tue, 24 Oct 2017 15:23:30 GMT https://community.cisco.com/t5/network-access-control/ise-usage-of-subject-serial-number-quot-certificates-serial/m-p/3601538#M520538 hslai 2017-10-24T15:23:30Z https://community.cisco.com/t5/network-access-control/ise-usage-of-subject-serial-number-quot-certificates-serial/m-p/3601539#M520539 <HTML><HEAD></HEAD><BODY><P>Thanks.</P></BODY></HTML> Thu, 26 Oct 2017 20:21:09 GMT https://community.cisco.com/t5/network-access-control/ise-usage-of-subject-serial-number-quot-certificates-serial/m-p/3601539#M520539 jideji 2017-10-26T20:21:09Z