02-04-2016 10:59 AM - edited 03-10-2019 11:27 PM
Greetings,
I recently setup a new ISE 2.0 server and am having trouble generating a CSR. The issue is that our CSR requires more than one OU. Within the ISE 2.0 Certificate Signing Request GUI, there is only one space to enter an OU so I am guessing you have to enter the entire OU string on that line.
Now when I generate the CSR I need to add multiple OU's - In ISE 1.3 There was one subject line to enter the entire string. In 2.0 - not so much.
When I check the CSR via openssl for the correct Subject before submittal this is what I see which I think is wrong.
Below is what it looks like in the ISE
I have tried to escape the equals sign with a backslash, but the OU\= still shows up. Once again I am pretty sure this is wrong as the first OU does not have a \ in front of the equals sign.
I never had any problem on our ISE1.3 server or our ACS servers for CSR generation. Has anyone ran into this issue? Am I missing the proper syntax? Cisco has no documentation on multiple OU's in ISE 2.0. I do have a TAC open but I just wanted to see if anyone had come across or know how to fix this issue.
Thanks!
<!--break-->
Solved! Go to Solution.
02-07-2016 12:38 PM
Netwerk - as a workaround, stand up a 1.3 server and generate your certs. Once signed, export your pub and pvk keys and import into 2.0. Obviously everything will need to match but it should work. If your using a wildcard it should be quick. If not you'll need to repeat the process for each node. GL
02-09-2016 11:02 AM
Ryan, why not generate your CSR like you wan't it to look with a tool like openssl or XCA ? I almost never use ISE to generate the CSR for an ISE Server.
02-04-2016 08:10 PM
Just tried with ISE 2.0 P2 - I was able to generate it. Is my subject string is different then what you need.
02-05-2016 08:51 AM
I can generate a CSR, its just that the Subject line is not coming out right when you add multiple OU's.
A typical Subject string on a generated CSR when viewing the CSR through OpenSSL prior to submittal to a CA looks like this:
Subject: CN=mysrv.domain.com,OU=TEST, OU=TEST2, OU=TEST3, O=SomeOrg, C=US
When viewing the PEM via OpenSSL from Ciscos CSR from the ISE 2.0 looks like this:
Subject: CN=mysrv.domain.com,OU=TEST, OU\=TEST2, OU\=TEST3, O=SomeOrg, C=US
Notice the slashes before the second and third OU. The CSR from the ISE 2.0 is putting slashes in the Subject line before the equal sign on the additional OU's. Also, notice there are no slashes in the first OU which is OU=TEST.
That's the issue. Our CA wouldn't accept the generated CSR due to the ambiguous slashes in the Subject line.
I know the escape character is \ and to add additional DN's it says to use \, to escape the comma but for some reason when you add the additional OU's it's putting \ before equal signs. This is not correct.
I just checked a CSR on my ACS 5.8 server and it looks like this:
CN=mysrv.domain.com, OU=TEST, OU=TEST1, OU=TEST2, O=SomeOrg, C=US
Only difference on the ACS 5.8 is that when you generate the CSR it has one entry line for the Subject:
There you put: CN=mysrv.domain.com, OU=TEST, OU=TEST1, OU=TEST2, O=SomeOrg, C=US
The CSR is generated correctly and looks like this:
02-05-2016 08:51 AM
OK, so I heard back from my TAC support. This is not intended to be working this way - TAC was able to reproduce issue and has elevated the issue to the collaboration team.
I rolled back to Patch 1 and tried - still broke.
I rolled back to Base line 2.0 install and its still broke.
Anyone having this issue in 2.0 - hold out - I will post the workaround (if there is one) and will let you know what the TAC outcome is.
02-07-2016 12:38 PM
Netwerk - as a workaround, stand up a 1.3 server and generate your certs. Once signed, export your pub and pvk keys and import into 2.0. Obviously everything will need to match but it should work. If your using a wildcard it should be quick. If not you'll need to repeat the process for each node. GL
02-09-2016 11:02 AM
Ryan, why not generate your CSR like you wan't it to look with a tool like openssl or XCA ? I almost never use ISE to generate the CSR for an ISE Server.
02-09-2016 11:05 AM
Jan,
Sure there's certainly multiple workarounds for this. I would just suggesting something easy as it sounded like the user had 1.3 running. But I agree as well.
-Ryan
03-03-2016 07:08 AM
So there is an official bug report open with TAC to fix this issue. In the mean time, I used ACS to generate my CSR's for my ISE box. I then binded the CSR response to the request and exported the pub and priv key to my desktop. I then uploaded the new certificates to ISE and bound them to their respective interfaces.
Alternatively I could have used openssl.exe to generate the certificates, but ACS GUI is just faster.
Cheers!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide