Guest

Preview Tool

Cisco Bug: CSCvt87502 - CN and OU are missing or incomplete when using special characters in those fields in WSA Client Cert

Last Modified

May 20, 2020

Products (1)

  • Cisco Web Security Appliance

Known Affected Releases

11.8.0-453

Description (partial)

Symptom:
Under Network > Identity Service Engine > WSA Client Certificate, when generating a new certificate and key and using a common name with a special character in it (test.cisco for example), the common name appears to be stripped away from the cert that is generated.
In addition, when using special characters in the Organization Unit (cisco/tac for example), the organization unit on the cert genrated only shows characters in front of the special character, the above example would only show "cisco" instead of "cisco/tac".

Conditions:
Generating a WSA client cert for ISE integration.
Creating a cert with the following conditions:
common name: test.cisco (any sort of special character in the CN)
organization: cisco
organization unit: cisco/tac (any name with a special character present)
country: US
duration before expiration: 36 months
basic constraints: unchecked

The gui doesn't appear to show the common name and omits any characters in the organization unit from the special chracter  to the end (in the above example, only cisco is shown as the ou).

When checking the cert created from the backend, it looks like the CN was stripped away and the OU was saved as "cisco":
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d6:e2:f6:82:39:ce:2e:f8
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=cisco, OU=cisco
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.