cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3253
Views
0
Helpful
7
Replies
Mike Lehmann
Beginner

Cisco ACS 5.3 Certificate Request

I try to generate a certificate request in Cisco ACS 5.3 Web GUI via

System Administration >  Configuration >  Local Server Certificates >  Local Certificates > Add > Generate Certificate Signing Request .

The DN we have to use is specified by our CA-Administrator to something like

"O=my-company-for IT Service (mcIT),L=Berlin,ST=Berlin,C=DE" .

(spaces, brackets, ... but this is the requirement)

So my input in the field Certificate Subject is "CN= myserver.mcit.com,O=my-company-for IT Service (mcIT),L=Berlin,ST=Berlin,C=DE" .

(Key Length=2048, Digest=SHA1)

But then I get an error: Certificate Validation Error: "Invalid certificate subject DN name"

When I omit ST attribute it creates a request, but due to CA requirements I cannot.

The length of DN is 101.

Event without round brackets "(..)" the error occurs.

Some ideas?

7 REPLIES 7
Tarik Admani
Advocate

Your best bet is to use openssl to generate a CSR. Once you receive the signed cert import the cert and the intermediate and root certs along with the private key.

Let me know if you need help with that.

Sent from Cisco Technical Support Android App

Ok, I could generate a certificate request with openssl on an separate linux box.

Then I think to import the signed certificate file I have to go to

System Administration >  ... >  Configuration >  Local Server Certificates >  Local Certificates  >  Create > Bind CA Signed Certificate... , right ?

But where I can import the private key ?

As far as I understand by using the GUI the private key is created and later bound automatically to the signed cert but it is not directly accessible.

Tarik Admani
Advocate

You will have to import the certificate. It will ask for the private key and private key password along with the cert.

Sent from Cisco Technical Support Android App

hkhrais
Beginner

Hi ,

It's not bind CA certificate . It's the first option which is import seever certificate option

HTH

Sent from Cisco Technical Support Android App

Unfortunately it's not working.

I created a certificate (request and private key) on a linux box with openssl and sent the cert to our CA for signing.

Now I tried to import the signed cert with

System Administration >  ... >  Configuration >  Local Server Certificates >  Local Certificates  >  Create > Import Server Certificate, with my cert.pem and privkey.pem files and the password from request generation.

I get an error "Certification Validation Error: Invalid private key"

Request generation with the GUI wasn't possible - I suspect the ST attribute (without it is possible).

As already mentioned our CA requires a DN like "O=my-company-for IT Service (mcIT),L=Berlin,ST=Berlin,C=DE"

ST is mandatory.

Does anybody an idea to solve this crux?

best regards

ML

Hi Mike,

I have the same problem, have you solved it ?

Using "S=" instead of "ST=" worked for me.

b.r.

Content for Community-Ad