10-26-2013 04:06 AM - edited 03-10-2019 09:02 PM
Hi,
I'm trying to generate a CSR on my ISE 1.1.1.268 ,I'm always getting this error "CSR generation failed: Invalid certificate subject DN length "
I followed cisco guide , and I used the ISE FQDN for the CN , but CSR generation is still failing ..
My ISE FQDN is : kam-ise-01.kamcorp.kam.com
here is the certificate subject i have used :
CN=kam-ise-01.kamcorp.kam.com, OU=IT, O=KAM, C=US, S=CA, L=NY
Any help please ..
Solved! Go to Solution.
10-26-2013 04:42 AM
Could you please try this:
CN=kam-ise-01.kamcorp.kam.com, OU=IT, O=KAM, C=US, ST=CA, L=NY
I corrected the format. I think you were using only S. however the user guide says ST for state.
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_cert.html#wp1077292
We have a known bug on this as well where ISE should throw a more meaningful error and say what was wrong
CSCuj28351 ISE complains about DN length when the problem is the format
Symptom:
ISE throws "CSR generation failed" with "Invalid certificate subject DN length" when you create a CSR on ISE
Conditions:
It happens not necessarily when the whole subject is too long but if the format is wrong also
For example if you enter "C=Belgium" instead of "C=BE", you will get this error.
State and country are 2 certificates field that requires code letters and not full name.
Workaround:
Correct your fields to match the right X509 format
~BR
Jatin Katyal
**Do rate helpful posts**
10-26-2013 04:42 AM
Could you please try this:
CN=kam-ise-01.kamcorp.kam.com, OU=IT, O=KAM, C=US, ST=CA, L=NY
I corrected the format. I think you were using only S. however the user guide says ST for state.
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_cert.html#wp1077292
We have a known bug on this as well where ISE should throw a more meaningful error and say what was wrong
CSCuj28351 ISE complains about DN length when the problem is the format
Symptom:
ISE throws "CSR generation failed" with "Invalid certificate subject DN length" when you create a CSR on ISE
Conditions:
It happens not necessarily when the whole subject is too long but if the format is wrong also
For example if you enter "C=Belgium" instead of "C=BE", you will get this error.
State and country are 2 certificates field that requires code letters and not full name.
Workaround:
Correct your fields to match the right X509 format
~BR
Jatin Katyal
**Do rate helpful posts**
10-26-2013 04:56 AM
100% , This is it .. Thaks for your help .
10-27-2013 02:39 AM
Good to know
~BR
Jatin Katyal
**Do rate helpful posts**
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide