Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1789
Views
0
Helpful
3
Replies

ISE CSR Generation failed

Go to solution
Ali Koussan
Level 1
Level 1

‎10-26-2013 04:06 AM - edited ‎03-10-2019 09:02 PM

Hi,

I'm trying to generate a CSR on my ISE 1.1.1.268 ,I'm always getting this error "CSR generation failed: Invalid certificate subject DN length "

I followed cisco guide , and I used the ISE  FQDN for the CN , but CSR generation is still failing ..

My ISE FQDN is :  kam-ise-01.kamcorp.kam.com

here is the certificate subject i have used :

CN=kam-ise-01.kamcorp.kam.com, OU=IT, O=KAM, C=US, S=CA, L=NY

Any help please ..

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎10-26-2013 04:42 AM

Could you please try this:

CN=kam-ise-01.kamcorp.kam.com, OU=IT, O=KAM, C=US, ST=CA, L=NY

I corrected the format. I think you were using only S. however the user guide says ST for state.

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_cert.html#wp1077292

We have a known bug on this as well where ISE should throw a more meaningful error and say what was wrong

CSCuj28351    ISE complains about DN length when the problem is the format

Symptom:

ISE throws "CSR generation failed" with "Invalid certificate subject DN length" when you create a CSR on ISE

Conditions:

It happens not necessarily when the whole subject is too long but if the format is wrong also

For example if you enter "C=Belgium" instead of "C=BE", you will get this error.

State and country are 2 certificates field that requires code letters and not full name.

Workaround:

Correct your fields to match the right X509 format

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎10-26-2013 04:42 AM

Could you please try this:

CN=kam-ise-01.kamcorp.kam.com, OU=IT, O=KAM, C=US, ST=CA, L=NY

I corrected the format. I think you were using only S. however the user guide says ST for state.

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_cert.html#wp1077292

We have a known bug on this as well where ISE should throw a more meaningful error and say what was wrong

CSCuj28351    ISE complains about DN length when the problem is the format

Symptom:

ISE throws "CSR generation failed" with "Invalid certificate subject DN length" when you create a CSR on ISE

Conditions:

It happens not necessarily when the whole subject is too long but if the format is wrong also

For example if you enter "C=Belgium" instead of "C=BE", you will get this error.

State and country are 2 certificates field that requires code letters and not full name.

Workaround:

Correct your fields to match the right X509 format

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
Ali Koussan
Level 1
Level 1
In response to Jatin Katyal

‎10-26-2013 04:56 AM

100% , This is it .. Thaks for your help .

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Ali Koussan

‎10-27-2013 02:39 AM

Good to know

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful
Customers Also Viewed These Support Documents