Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2094
Views
0
Helpful
2
Replies

ISE usage of “subject-serial number” / "certificates serial number as identity"

Go to solution
jideji
Cisco Employee
Cisco Employee

‎10-24-2017 08:10 AM

The following gui is under External Identity Sources -> Certificate Authentication Profile. We would like to use the certificates serial number as identity, but the only option I see is “subject – serial number” (see below). It is my understanding that “subject-serial number” does not make sense to our PKI guys (I think that terminology is invalid in their view). We thought maybe it meant the certificates serial number which is what we want, but when I configured it, ISE failed saying the user information couldn’t be retrieved from the certificate. This would make sense if it’s trying to pull it out of the subject field, which is what I think it’s probably doing based on the gui, but the PKI guys would like to know what is “subject – serial number” and is it really a valid thing? Also, is there a way to use the certificate’s serial number as “user” identity to query ldap?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-24-2017 08:23 AM

ISE dictionary CERTIFICATE has three serial numbers (attached a screenshot from ISE 2.3 conditions studio):

Screen Shot 2017-10-23 at 9.50.40 PM.png

And, Certificates with serialNumber in subject - Server - Let's Encrypt Community Support shows that it possible to have the serial number as part of the “Subject”. Our engineering team confirmed that certificate serial number and subject serial number fields are independent. Only the one as part of Subject line will be chosen and used in ISE cert auth profile

The "subject - serial number” very likely differing from the serial number of the certificate issued by the CA. See examples below:

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-24-2017 08:23 AM

ISE dictionary CERTIFICATE has three serial numbers (attached a screenshot from ISE 2.3 conditions studio):

Screen Shot 2017-10-23 at 9.50.40 PM.png

And, Certificates with serialNumber in subject - Server - Let's Encrypt Community Support shows that it possible to have the serial number as part of the “Subject”. Our engineering team confirmed that certificate serial number and subject serial number fields are independent. Only the one as part of Subject line will be chosen and used in ISE cert auth profile

The "subject - serial number” very likely differing from the serial number of the certificate issued by the CA. See examples below:

0 Helpful

Go to solution
jideji
Cisco Employee
Cisco Employee
In response to hslai

‎10-26-2017 01:21 PM

Thanks.

0 Helpful
Customers Also Viewed These Support Documents