The Certificate Provisioning Portal issues certificates to devices that cannot go through the onboarding flow. For example, devices such as point-of-sale terminals require manual certificate issuance rather than the BYOD flow. The Certificate Provisioning Portal allows privileged users to upload certificate requests, generate key pairs if necessary, and download certificates.

To log in to the Certificate Provisioning Portal, your user account must belong to a specific Identity Group configured by your administrator. Contact your administrator for support.

Change your password in the Certificate Provisioning Portal only if you are a Cisco ISE internal user with information in the Cisco ISE internal database.

1. Log in to the Certificate Provisioning Portal using your credentials.

2. Click the Account menu drop-down list at the right upper corner.

3. Click Change Password.

4. Follow the instructions on screen to change your password.

To generate a single certificate with attributes:

1. Log in to the Certificate Provisioning Portal with your credentials.

2. From the I want to drop-down list, choose generate single certificate (no certificate signing request).

3. Enter your username (the username that you used to log in to the Certificate Provisioning Portal) in the Common Name field.

4. Enter the MAC address of the device for which you are requesting the certificate in the Subject alternative name (SAN) field.

5. Choose a certificate template.

6. (Optional) Enter a description.

7. Choose the certificate download format.

8. Enter a password to secure the client certificate. At the time of installing this certificate on the device, you must enter this password.

9. Click Generate.

A certificate zip file is generated that you can download to your system.

The authentication server uses the value that is presented in the Common Name (CN) field in the client certificate to authenticate a user. In the Common Name field, enter the username (that you used to log in to the Certificate Provisioning Portal).

Subject Alternative Names (SAN) is an X.509 extension that allows various values to be associated with a security certificate. In the SAN/MAC address field, enter the MAC address of your device in one of these formats:

• 00-11-22-33-44-55

• 00:11:22:33:44:55

• 0011.2233.4455

• 001122-334455

• 001122334455

A certificate template is used by the Certificate Authority (CA) to issue a certificate to an end entity. The certificate template is created by a Cisco ISE administrator, who defines a set of fields that the CA uses when validating a request and issuing a certificate. Fields such as the Common Name (CN) validate the request, and the CN must match the username. The CA uses other fields when issuing the certificate.

Download the end entity certificate in one of these formats. The term end entity refers to the user or device to whom the certificate is issued.

• PKCS12 format (including certificate chain; one file for both the certificate chain and key): A binary format to store the root CA certificate, the intermediate CA certificate(s), and the end entity's certificate and private key in one encrypted file.

• PKCS12 format (one file for both certificate and key): A binary format to store the end entity certificate and the private key in one encrypted file.

• Certificate in Privacy Enhanced Electronic Mail (PEM) format, key in PKCS8 PEM format (including certificate chain): The root CA certificate, the intermediate CA certificate(s), and the end entity certificate are represented in the PEM format. PEM formatted certificates are BASE64-encoded ASCII files. Each certificate starts with the "-------BEGIN CERTIFICATE-----" tag and ends with the "-----END CERTIFICATE-----" tag. The end entity's private key is stored using PKCS8 PEM and starts with the "----------BEGIN ENCRYPTED PRIVATE KEY-----" tag and ends with the "-----END ENCRYPTED PRIVATE KEY-----" tag.

• Certificate in PEM format, key in PKCS8 PEM format: The end entity certificate is represented in the PEM format. PEM formatted certificates are BASE64-encoded ASCII files. Each certificate starts with the "-------BEGIN CERTIFICATE-----" tag and ends with the "-----END CERTIFICATE-----" tag. The end entity's private key is stored using PKCS8 PEM and starts with the "----------BEGIN ENCRYPTED PRIVATE KEY-----" tag and ends with the "-----END ENCRYPTED PRIVATE KEY-----" tag.

A certificate password secures your certificate. Provide the password to view its contents and to import it onto a device. Your password must conform to these rules:

• Includes at least 1 uppercase letter, 1 lowercase letter, and 1 number

• Length: 8 to 15 characters

• Allowed characters: A-Z, a-z, 0-9, _, #

A certificate signing request (CSR) is a request for a certificate sent from an end entity (user/device) to a Certificate Authority (CA). The CSR contains information that identifies the end entity, including Common Name, Subject Alternative Name, and Department Name. OpenSSL is one of the most popular tools used to generate a CSR. Contact your administrator for information on how to obtain a CSR.

To generate a single certificate with CSR with attributes:

1. Log in to the Certificate Provisioning Portal with your credentials.

2. From the I want to drop-down list, choose generate single certificate (with certificate signing request).

3. Enter the CSR details.

4. Choose a certificate template.

5. (Optional) Enter a description.

6. Choose the certificate download format.

7. Enter a password to secure the client certificate. At the time of installing this certificate on the device, you must enter this password.

8. Click Generate.

A certificate zip file that includes a CSR is generated. Download it to your system.

Yes. You can make a bulk certificate request by creating a CSV file and uploading it to the Certificate Provisioning Portal. You can request a maximum of 500 certificates in a single bulk request.

To create the CSV file for bulk certificate request:

1. Log in to the Certificate Provisioning Portal using your credentials.

2. From the I want to drop-down list, choose generate bulk certificates.

3. Click Download CSV template here. The CSV template is downloaded to your system.

4. Open the downloaded file in a spreadsheet such as Excel.

5. Enter the CN and SAN values for the devices, one row for each device.

6. Save the file.

7. From the Certificate Provisioning Portal, click Upload.

8. Click Browse and select the CSV file from your system.

9. Choose a certificate template.

10. (Optional) Enter a description.

11. Choose the certificate download format.

12. Enter a password to secure the client certificate. At the time of installing this certificate on the device, you must enter this password.

13. Click Generate.

14. A certificate zip file containing all the certificates is generated. Download it to your system.

When a bulk certificate request is in progress, click Cancel from the Certificate Generation Status page.

You can submit only one request at a time. After the certificates are generated and you confirm that download is complete, you can submit another request.

If you close your browser or log out when a bulk certificate request is in progress, you are automatically redirected to the Certificate Generation Status page, where you can see the progress of your request. When certificate generation is complete, you can view the summary and download the generated certificates.

Only users with administrator privileges—Super Admin or ERS Admin—can generate certificates for others. Other users can request certificates for themselves only.

The contents of the zip file depend on the certificate download format you choose. The zip file contains:

• Certificate for the end entity: A certificate for the end entity that matches the information provided by you, such as the Common Name, Subject Alternative Name (SAN), and so on. For example, if a requester whose username is Joe submits a request for his device with MAC address (SAN) 11-22-33-44-55-66, then the certificate file is named as Joe_11-22-33-44-55-66.cer.

• Private key (only for single certificate using attributes or bulk certificate requests): A private key for the end entity certificate. If a requester whose username is Joe submits a request for his device with MAC address (SAN) 11-22-33-44-55-66, the private key file is named Joe_11-22-33-44-55-66.key.

• Certificate chain: All the certificates in the certificate chain leading up to the root CA for the Cisco ISE internal CA.

• For the end entity to trust the Cisco ISE server during EAP-TLS authentication, one of these files is present in the zip file:

  • EAP certificate chain (if the Cisco ISE server certificates are signed by an external CA)

  • Cisco ISE self-signed certificate (if the Cisco ISE server uses a self-signed certificate for server authentication)

After downloading the certificate zip file to your local system:

1. Import the certificates to the client device's keystore. If you submitted a bulk certificate request, copy the relevant end entity certificate and private key to the device that has the relevant MAC address (based on the SAN).

2. Modify your wireless or wired settings to use EAP-TLS based authentication and select the end entity certificate.

3. Connect the device to the network. The authentication should pass.

• Invalid request - The given CSR has a CN that doesn't match the provided username, and that user doesn't have ERS Admin

  This error message appears because the CN value in the request does not match the requester’s username. The CN must match the username of the user who is requesting the certificate. This check ensures that users do not request certificates for someone else. However, a user who belongs to the ERS Admin Group (an admin user) can request certificates for other users, and the CN does not have to match the admin user's username.

  Workaround: Resubmit the request with your username in the Common Name field.

• The given CN is invalid. Cannot contain [] " : ; | = , + * ? < > characters

  This error message appears when invalid characters are present in the CN. Invalid characters include [ ] " : ; | = , + * ? < >. These characters are not allowed in an Active Directory username; they must not appear in the CN.

  Workaround: Resubmit the request with a valid CN.

• Invalid MAC address

  This error appears because the MAC address is invalid. A MAC address must be of the form 11-11-11-11-11-11, 11:11:11:11:11:11, 1111.1111.1111, 111111.111111, 111111111111. Apart from the delimiters -, :, and ., the MAC address can only contain numbers 0 through 9 and letters A through F.

  Workaround: Provide the MAC address in a supported format and resubmit the request.

• CA server error - Certificate request to internal CA failed CN

  This error indicates a general failure with the Cisco ISE internal CA.

  Workaround: Resubmit the request. If requests continue to fail, contact your administrator.

• ISE server error - The given CSR text is malformed

  This error message appears because the CSR is not in a valid PEM format.

  Workaround: Provide the CSR in a valid PEM format.

• Invalid request - The given CSR has an OU RDN that doesn't match what's defined in the provided Certificate Template

  This error message appears because the OU RDN (or the RDN listed in the error message) does not match with what is provided in the certificate template.

  Workaround: Contact your administrator to determine what RDN values to use in the CSR.

• There are more than the max allowed entries in this CSV. Max is 500

  This error message appears because the CSV file that you provided has more than 500 entries.

  Workaround: Divide the CSV file into multiple CSV files with no more than 500 entries in each file. Submit the CSV files for bulk certificate request, one file at a time. Proceed with the next request after the previous one is complete.

• There are either missing or extra columns in the CSV file. Please stick to the template

  This error message appears because the CSV file is formatted incorrectly.

  Workaround: Ensure that each entry has values for two fields; a CN and a SAN provided for every entry. The SAN should be a MAC address. Resubmit the request.