Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

ISE CSR Generation failed

Hi,

I'm trying to generate a CSR on my ISE 1.1.1.268 ,I'm always getting this error "CSR generation failed: Invalid certificate subject DN length "

I followed cisco guide , and I used the ISE  FQDN for the CN , but CSR generation is still failing ..

My ISE FQDN is :  kam-ise-01.kamcorp.kam.com

here is the certificate subject i have used :

CN=kam-ise-01.kamcorp.kam.com, OU=IT, O=KAM, C=US, S=CA, L=NY

Any help please ..

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE CSR Generation failed

Could you please try this:

CN=kam-ise-01.kamcorp.kam.com, OU=IT, O=KAM, C=US, ST=CA, L=NY

I corrected the format. I think you were using only S. however the user guide says ST for state.

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_cert.html#wp1077292

We have a known bug on this as well where ISE should throw a more meaningful error and say what was wrong

CSCuj28351    ISE complains about DN length when the problem is the format

Symptom:

ISE throws "CSR generation failed" with "Invalid certificate subject DN length" when you create a CSR on ISE

Conditions:

It happens not necessarily when the whole subject is too long but if the format is wrong also

For example if you enter "C=Belgium" instead of "C=BE", you will get this error.

State and country are 2 certificates field that requires code letters and not full name.

Workaround:

Correct your fields to match the right X509 format

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
3 REPLIES
Cisco Employee

Re: ISE CSR Generation failed

Could you please try this:

CN=kam-ise-01.kamcorp.kam.com, OU=IT, O=KAM, C=US, ST=CA, L=NY

I corrected the format. I think you were using only S. however the user guide says ST for state.

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_cert.html#wp1077292

We have a known bug on this as well where ISE should throw a more meaningful error and say what was wrong

CSCuj28351    ISE complains about DN length when the problem is the format

Symptom:

ISE throws "CSR generation failed" with "Invalid certificate subject DN length" when you create a CSR on ISE

Conditions:

It happens not necessarily when the whole subject is too long but if the format is wrong also

For example if you enter "C=Belgium" instead of "C=BE", you will get this error.

State and country are 2 certificates field that requires code letters and not full name.

Workaround:

Correct your fields to match the right X509 format

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

ISE CSR Generation failed

100% , This is it .. Thaks for your help .

Cisco Employee

ISE CSR Generation failed

Good to know

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
505
Views
0
Helpful
3
Replies
CreatePlease to create content