Missing details from ACS 5.1 CSR

Answered Question
Apr 30th, 2010

I have generated a CSR from the ACS 5.1 and have submitted it to the CA(Verisign) to get it signed. The CA returned an error "Errror 9506 - Missing Organization" with a detail message stating the CSR does not contain an organisation. I followed the Cisco User Guide ACS 5.1 to generate a CSR and the only inputs allowed is CN and keylength.

I have decoded the CSR and only see the CN and key length but not other details.

Where can I input other details such as Organization, OU, Locality etc in ACS 5.1? Or was is the workaround to get the certificate signed by the CA?

I have this problem too.
0 votes
Correct Answer by Javier Henderson about 6 years 8 months ago

If the CA insists in having an organizational name attribute in the CSR, you could create the CSR and private key on another system, submit the CSR to the CA for signature, then import the signed certificate and private key into ACS (first option when you click on "Add" in the System Administration -> Local Server Certificates -> Local Certificates screen.

To generate a CSR in a Unix system, for example, you could use the following commands:

openssl genrsa -out mykey.pem 1024 (or use 2048 if needed)

openssel req -new -key mykey.pem -out mycsr.pem


Answer the prompts as needed, then send the fyle "mycsr.pem" to the CA for signature. When you get it back signed, import it and the private key into ACS.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Javier Henderson Mon, 05/03/2010 - 07:41

If the CA insists in having an organizational name attribute in the CSR, you could create the CSR and private key on another system, submit the CSR to the CA for signature, then import the signed certificate and private key into ACS (first option when you click on "Add" in the System Administration -> Local Server Certificates -> Local Certificates screen.

To generate a CSR in a Unix system, for example, you could use the following commands:

openssl genrsa -out mykey.pem 1024 (or use 2048 if needed)

openssel req -new -key mykey.pem -out mycsr.pem


Answer the prompts as needed, then send the fyle "mycsr.pem" to the CA for signature. When you get it back signed, import it and the private key into ACS.

jeensernchew Tue, 05/04/2010 - 04:58

Thanks for your reply Javier.

I found out the solution to enter those details directly into ACS 5.1. Under 'Certificate Subject' the default value is 'CN=' making me think that CN was the only acceptable information. I found out I can enter other information by adding a comma.

Eg. In Certificate Subject: CN=acsprimary.internal,O=Cisco,OU=IT,L=NSW,A=AU

Actions

This Discussion

Related Content