Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ACS 5.x CSR Certificate key usage

Hi Security Board,

I created a Certificate Signing Request within Cisco ACS and sent this request to my Certificate authority.

The CA guys came back to me and stated that the CSR contains the following X.509 key usages

  • digitalSignature
  • keyAgreement
  • keyCertSign
  • keyEncipherment

Unfortunately the key usages keyAgreement and keyCertSign are not allowed by the PKI policy. After all it's just a normal SSL server certificate :)

So I'm not able to get a certificate from my PKI when those key usages are in place.

If I compare the key usages of the ACS and the ISE (1.3), the ISE only requests the key usages digitalSignature and keyEncipherment, which is totally fine and matches the "standard" SSL web server certificate way of doing things. So ISE does the thing a little bit different than ACS.

Long story short - here are my questions:

  • Is there a way to configure the certificate attributes within the CSR directly from the ACS?
  • Any idea why ACS is requesting keyAgreement and keyCertSign


Thanks in advance,




What you need to do is generate a compliant server certificate request OUTSIDE of ACS then import both the certificate and private key. I have (un)fortunately learned enough openSSL to do this myself but your cert guys should be able to help you generate it.


If you want to lose a day of your life and take a -1 hit to your sanity you can look at the following pages and try it:


Thanks for the answer Nathan. I know that I could use this solution - but the operations guys won't be happy about this detour :)

Just for everybody else, running into this issue:


(optional) openssl config file should have a section for the certificate extensions inside the CSR

In Ubuntu the default openssl.cnf file is located in /usr/lib/ssl/openssl.cnf

[ ssl_web_server_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment


Create the CSR:

openssl req -nodes -newkey rsa:2048 -keyout acs.key -out acs.csr -subj "/C=<COUNTRY>/ST=<STATE>/L=<CITY>/O=<ORGANIZATION>/OU=<OU>/CN=<COMMON-NAME>" -reqexts ssl_web_server_req

The private key will be written in the file "acs.key"

The CSR will be written in the file "acs.csr"


To view the CSR:

openssl req -noout -text -in acs.csr
Certificate Request:
        Version: 0 (0x0)
        Subject: C=DE, ST=Test, CN=test
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                [... output ommited ...]
        Requested Extensions:
            X509v3 Basic Constraints:
            X509v3 Key Usage:
                Digital Signature, Key Encipherment

    Signature Algorithm: sha256WithRSAEncryption
                 [... output ommited ...]


Sign the CSR at your PKI / CA

After the CSR is signed by the CA, the certificate and the private key (acs.key) can be imported in ACS (Import Server Certificate)