解決済み: ISE usage of “subject-serial number” / "certificates serial number as identity"

jideji · ‎10-24-2017

The following gui is under External Identity Sources -> Certificate Authentication Profile. We would like to use the certificates serial number as identity, but the only option I see is “subject – serial number” (see below). It is my understanding that “subject-serial number” does not make sense to our PKI guys (I think that terminology is invalid in their view). We thought maybe it meant the certificates serial number which is what we want, but when I configured it, ISE failed saying the user information couldn’t be retrieved from the certificate. This would make sense if it’s trying to pull it out of the subject field, which is what I think it’s probably doing based on the gui, but the PKI guys would like to know what is “subject – serial number” and is it really a valid thing? Also, is there a way to use the certificate’s serial number as “user” identity to query ldap?

hslai · ‎10-24-2017

ISE dictionary CERTIFICATE has three serial numbers (attached a screenshot from ISE 2.3 conditions studio):

And, Certificates with serialNumber in subject - Server - Let's Encrypt Community Support shows that it possible to have the serial number as part of the “Subject”. Our engineering team confirmed that certificate serial number and subject serial number fields are independent. Only the one as part of Subject line will be chosen and used in ISE cert auth profile

The "subject - serial number” very likely differing from the serial number of the certificate issued by the CA. See examples below:

What extensions and details are included in a SSL certificate? | Symantec —> Subject: Serial Number (Business Registration Number)
Re: "Subject Alternative Name" v/s "Subject/Serial Number”—> Swedish national identity number.

元の投稿で解決策を見る

hslai · ‎10-24-2017

ISE dictionary CERTIFICATE has three serial numbers (attached a screenshot from ISE 2.3 conditions studio):

And, Certificates with serialNumber in subject - Server - Let's Encrypt Community Support shows that it possible to have the serial number as part of the “Subject”. Our engineering team confirmed that certificate serial number and subject serial number fields are independent. Only the one as part of Subject line will be chosen and used in ISE cert auth profile

The "subject - serial number” very likely differing from the serial number of the certificate issued by the CA. See examples below:

What extensions and details are included in a SSL certificate? | Symantec —> Subject: Serial Number (Business Registration Number)
Re: "Subject Alternative Name" v/s "Subject/Serial Number”—> Swedish national identity number.

jideji · ‎10-26-2017

Thanks.