Guest

Preview Tool

Cisco Bug: CSCvi66171 - Unable to sign CSR with Basic Constraints Extension

Last Modified

Oct 16, 2018

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

2.3(0.902)

Description (partial)

Symptom:
When using ISE internal CA to sign CSRs, there is an error when tryin to sign CSR with X509v3 Basic Constraints filed.

Error on the Certificate provisioning portal:
CA error

Logs extract:
2018-03-26 13:20:06,363 DEBUG  [caservice-http-94444][scep job b4a3c483b9c4bf6035795a9fc26e5617c30da1f6 0xf491fa40 request] com.cisco.cpm.caservice.CrValidator -:::::- request validation result CR_EXTENSION_UNSUPPORTED
2018-03-26 13:20:06,363 WARN   [caservice-http-94444][scep job b4a3c483b9c4bf6035795a9fc26e5617c30da1f6 0xf491fa40 request] com.cisco.cpm.caservice.CertificateAuthority -:::::- Certificate Services Endpoint Certificate request failed validation

Conditions:
- ISE internal CA;
- Certificate provisioning portal;
- CSR containing the fields below:

        Requested Extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.