Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2661
Views
0
Helpful
4
Replies

Common Name (CN) in certificate in ISE

Go to solution
Lucas Woo
Level 1
Level 1

‎04-27-2022 07:15 PM

Hello.

I want to issue Client certificate for employee in ISE

Each employee have to import Client Certificate into there Windows/Mac PC,
but I can`t enter employee's name and this error message is displayed.

ise_cn.jpg

The image is like this.
-------
Mike
Dave
Bob
Smith



-------

I tried to enter the name "Mike", but after entering it specific error message was displayed.

I don`t know the subject the employee's name are displayed.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎05-02-2022 01:29 PM

Hi @Lucas Woo 

 

If you are logging in as a non-admin user (e.g. mike, bob, etc) then the subject common name must be the same as the username that was used to login (e.g. mike). This is a security feature to stop regular users from creating certificates that do not belong to them. 

 

The admin user can create certificates on behalf of an user - this is a highly privileged process and must be done by a trusted admin only.

I can't recall right now how to tell the ISE portal which Group of users is admin - perhaps others can help out. I have used this in lab scenarios only to quickly create certs for users - but I log in as each user to create those certs.

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Arne Bier
VIP
VIP

‎05-02-2022 01:28 PM

If you are logging in as a non-admin user (e.g. mike, bob, etc) then the subject common name must be the same as the username that was used to login (e.g. mike). This is a security feature to stop regular users from creating certificates that do not belong to them. 

 

The admin user can create certificates on behalf of an user - this is a highly privileged process and must be done by a trusted admin only.

I can't recall right now how to tell the ISE portal which Group of users is admin - perhaps others can help out. I have used this in lab scenarios only to quickly create certs for users - but I log in as each user to create those certs.

 

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎05-02-2022 01:29 PM

Hi @Lucas Woo 

 

If you are logging in as a non-admin user (e.g. mike, bob, etc) then the subject common name must be the same as the username that was used to login (e.g. mike). This is a security feature to stop regular users from creating certificates that do not belong to them. 

 

The admin user can create certificates on behalf of an user - this is a highly privileged process and must be done by a trusted admin only.

I can't recall right now how to tell the ISE portal which Group of users is admin - perhaps others can help out. I have used this in lab scenarios only to quickly create certs for users - but I log in as each user to create those certs.

 

0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎05-02-2022 01:48 PM - edited ‎05-02-2022 01:49 PM

Administration > Device Portal Management > Certificate Provisioning

 

Expand Portal Settings, select the Identity Source Sequence to be used. If needed, you can also select groups from that ISS to act as adminsCPP_ISS.png 

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎05-02-2022 02:46 PM

thanks @Charlie Moreton - I will give that a whirl next time I am testing this out. I was using the ISE internal identity store and I was unable to assign any "admin" attribute to an internal ISE user. I guess I missed the part about using that ISS

0 Helpful
Customers Also Viewed These Support Documents