cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1436
Views
0
Helpful
7
Replies
netwerk
Beginner

ISE 2.0 CSR with Multiple OU's

Greetings,

I recently setup a new ISE 2.0 server and am having trouble generating a CSR.  The issue is that our CSR requires more than one OU. Within the ISE 2.0 Certificate Signing Request GUI, there is only one space to enter an OU so I am guessing you have to enter the entire OU string on that line.

 

ISE_CSR

 

Now when I generate the CSR I need to add multiple OU's - In ISE 1.3 There was one subject line to enter the entire string. In 2.0 - not so much.

ise_two

 

 When I check the CSR via openssl for the correct Subject before submittal this is what I see which I think is wrong.

ise_three

 Below is what it looks like in the ISE

ise_four

I have tried to escape the equals sign with a backslash, but the OU\= still shows up. Once again I am pretty sure this is wrong as the first OU does not have a \ in front of the equals sign.

 

I never had any problem on our ISE1.3 server or our ACS servers for CSR generation. Has anyone ran into this issue? Am I missing the proper syntax? Cisco has no documentation on multiple OU's in ISE 2.0.  I do have a TAC open but I just wanted to see if anyone had come across or know how to fix this issue.

 

Thanks!

 

<!--break-->

 

2 ACCEPTED SOLUTIONS

Accepted Solutions

Netwerk -  as a workaround, stand up a 1.3 server and generate your certs. Once signed, export your pub and pvk keys and import into 2.0. Obviously everything will need to match but it should work. If your using a wildcard it should be quick.  If not you'll need to repeat the process for each node. GL

View solution in original post

Ryan, why not generate your CSR like you wan't it to look with a tool like openssl or XCA ? I almost never use ISE to generate the CSR for an ISE Server.

View solution in original post

7 REPLIES 7
Jatin Katyal
Cisco Employee

Just tried with ISE 2.0 P2 - I was able to generate it. Is my subject string is different then what you need.

~Jatin

I can generate a CSR, its just that the Subject line is not coming out right when you add multiple OU's.

 

A typical Subject string on a generated CSR when viewing the CSR through OpenSSL prior to submittal to a CA looks like this:

 

Subject: CN=mysrv.domain.com,OU=TEST, OU=TEST2, OU=TEST3, O=SomeOrg, C=US

 

When viewing the PEM via OpenSSL from Ciscos CSR from the ISE 2.0 looks like this:

 

Subject: CN=mysrv.domain.com,OU=TEST, OU\=TEST2, OU\=TEST3, O=SomeOrg, C=US

 

Notice the slashes before the second and third OU. The CSR from the ISE 2.0 is putting slashes in the Subject line before the equal sign on the additional OU's. Also, notice there are no slashes in the first OU which is OU=TEST.

 

That's the issue. Our CA wouldn't accept the generated CSR due to the ambiguous slashes in the Subject line.

 

I know the escape character is \ and to add additional DN's it says to use \, to escape the comma but for some reason when you add the additional OU's it's putting \ before equal signs. This is not correct.

I just checked a CSR on my ACS 5.8 server and it looks like this:

 

CN=mysrv.domain.com, OU=TEST, OU=TEST1, OU=TEST2, O=SomeOrg, C=US

 

Only difference on the ACS 5.8 is that when you generate the CSR it has one entry line for the Subject:

There you put:  CN=mysrv.domain.com, OU=TEST, OU=TEST1, OU=TEST2, O=SomeOrg, C=US

 

The CSR is generated correctly and looks like this:

 

 

 

OK, so I heard back from my TAC support. This is not intended to be working this way - TAC was able to reproduce issue and has elevated the issue to the collaboration team.

I rolled back to Patch 1 and tried - still broke.

I rolled back to Base line 2.0 install and its still broke.

 

Anyone having this issue in 2.0 - hold out - I will post the workaround (if there is one) and will let you know what the TAC outcome is.

Netwerk -  as a workaround, stand up a 1.3 server and generate your certs. Once signed, export your pub and pvk keys and import into 2.0. Obviously everything will need to match but it should work. If your using a wildcard it should be quick.  If not you'll need to repeat the process for each node. GL

View solution in original post

Ryan, why not generate your CSR like you wan't it to look with a tool like openssl or XCA ? I almost never use ISE to generate the CSR for an ISE Server.

View solution in original post

Jan,

Sure there's certainly multiple workarounds for this.  I would just suggesting something easy as it sounded like the user had 1.3 running. But I agree as well.

-Ryan

So there is an official bug report open with TAC to fix this issue. In the mean time, I used ACS to generate my CSR's for my ISE box. I then binded the CSR response to the request and exported the pub and priv key to my desktop. I then uploaded the new certificates to ISE and bound them to their respective interfaces.

Alternatively I could have used openssl.exe to generate the certificates, but ACS GUI is just faster.

Cheers!

Content for Community-Ad