The Certificate provisioning portal issues certificates to devices that cannot go through the onboarding flow. For example, point-of-sale terminals require manual certificate issuance, not the BYOD flow. Privileged users can upload certificate requests. If necessary, they can generate key pairs and then download certificates using the Certificate provisioning portal.

To log in to the Certificate provisioning portal, your user account must belong to a specific Identity Group configured by your administrator. Contact your administrator for support.

Change your password in the Certificate provisioning portal only if you are a Cisco ISE internal user and your information is in the Cisco ISE internal database.

1. Log in to the Certificate provisioning portal using your credentials.
2. Click the Account menu drop-down list in the upper-right corner.
3. Click Change Password.
4. Follow the instructions on screen to change your password.

To generate a single certificate with attributes:

1. Log in to the Certificate provisioning portal with your credentials.
2. From the I want to drop-down list, choose generate single certificate (no certificate signing request).
3. Enter your user name (the user name that you used to log in to the Certificate provisioning portal) in the Common Name field.
4. Enter the MAC address of the device in the Subject alternative name (SAN) field.
5. Choose a certificate template.
6. (Optional) Enter a description.
7. Choose the certificate download format.
8. Enter a password to secure the client certificate. At the time of installing this certificate on the device, you must enter this password.
9. Click Generate.

A certificate zip file is generated that you can download to your system.

The authentication server uses the value in the Common Name (CN) field of the client certificate to authenticate a user. Enter the user name you used to log in to the Certificate provisioning portal in the Common Name field.

Subject Alternative Name (SAN) is an X.509 extension that allows various values to be associated with a security certificate. In the SAN/MAC address field, enter the MAC address of your device in one of these formats:

• 00-11-22-33-44-55
• 00:11:22:33:44:55
• 0011.2233.4455
• 001122-334455
• 001122334455

A certificate template is used by the Certificate Authority (CA) to issue a certificate to an end entity. The certificate template is created by a Cisco ISE administrator, who defines a set of fields that the CA uses when validating a request and issuing a certificate. Fields such as the Common Name (CN) validate the request, and the CN must match the user name. The CA uses other fields when issuing the certificate.

Download the end entity certificate in one of these formats. The term end entity refers to the user or device to whom the certificate is issued.

• PKCS12 format (including certificate chain; one file for both the certificate chain and key): A binary format to store the root CA certificate, the intermediate CA certificate(s), and the end entity's certificate and private key in one encrypted file.
• PKCS12 format (one file for both certificate and key): A binary format to store the end entity certificate and the private key in one encrypted file.
• Certificate in Privacy Enhanced Electronic Mail (PEM) format, key in PKCS8 PEM format (including certificate chain): The root CA certificate, the intermediate CA certificate(s), and the end entity certificate are represented in the PEM format. PEM formatted certificates are BASE64-encoded ASCII files. Each certificate starts with the "-------BEGIN CERTIFICATE-----" tag and ends with the "-----END CERTIFICATE-----" tag. The end entity's private key is stored using PKCS8 PEM and starts with the "----------BEGIN ENCRYPTED PRIVATE KEY-----" tag and ends with the "-----END ENCRYPTED PRIVATE KEY-----" tag.
• Certificate in PEM format, key in PKCS8 PEM format: The end entity certificate is represented in the PEM format. PEM formatted certificates are BASE64-encoded ASCII files. Each certificate starts with the "-------BEGIN CERTIFICATE-----" tag and ends with the "-----END CERTIFICATE-----" tag. The end entity's private key is stored using PKCS8 PEM and starts with the "----------BEGIN ENCRYPTED PRIVATE KEY-----" tag and ends with the "-----END ENCRYPTED PRIVATE KEY-----" tag.

A certificate password secures your certificate. Provide the password to view its contents and to import it onto a device. Your password must conform to these rules:

• Includes at least one uppercase letter, one lowercase letter, and one number
• Length: 8 to 15 characters
• Allowed characters: A-Z, a-z, 0-9, _, #

A certificate signing request (CSR) is a request for a certificate sent from an end entity (user/device) to a Certificate Authority (CA). The CSR contains information that identifies the end entity, including Common Name, Subject Alternative Name, and Department Name. OpenSSL is one of the most popular tools used to generate a CSR. Contact your administrator for information on how to obtain a CSR.

To generate a single certificate with CSR with attributes:

1. Log in to the Certificate provisioning portal with your credentials.
2. From the I want to drop-down list, choose generate single certificate (with certificate signing request).
3. Enter the CSR details.
4. Choose a certificate template.
5. (Optional) Enter a description.
6. Choose the certificate download format.
7. Enter a password to secure the client certificate. At the time of installing this certificate on the device, you must enter this password.
8. Click Generate.

A certificate zip file that includes a CSR is generated. Download it to your system.

Yes. You can make a bulk certificate request by creating a CSV file and uploading it to the Certificate provisioning portal. You can request up to 500 certificates in a single bulk request.

To create the CSV file for bulk certificate request:

1. Log in to the Certificate provisioning portal using your credentials.
2. From the I want to drop-down list, choose generate bulk certificates.
3. Click Download CSV template here. The CSV template is downloaded to your system.
4. Open the downloaded file in a spreadsheet such as excel and enter the CN and SAN values for the devices, one row for each device and save the file.
5. From the Certificate provisioning portal, click Upload.
6. Click Browse and select the CSV file from your system.
7. Choose a certificate template and enter a description.
8. Choose the certificate download format and enter a password to secure the client certificate. At the time of installing this certificate on the device, you must enter this password.
9. Click Generate. A certificate zip file containing all the certificates is generated. Download it to your system.

When a bulk certificate request is in progress, click Cancel from the Certificate Generation Status page.

You can submit only one request at a time. After the certificates are generated and you confirm that download is complete, you can submit another request.

If you close your browser or log out when a bulk certificate request is in progress, you are automatically redirected to the Certificate Generation Status page, where you can see the progress of your request. When certificate generation is complete, you can view the summary and download the generated certificates.

Only users with administrator privileges—Super Admin or ERS Admin—can generate certificates for others. Other users can request certificates for themselves only.

The contents of the zip file depend on the certificate download format you choose. The zip file contains these items.

• Certificate for the end entity: A certificate for the end entity that matches the information provided by you, such as the Common Name, Subject Alternative Name (SAN), and so on. For example, if a requester with the user name Joe submits a request for his device with MAC address (SAN) 11-22-33-44-55-66, the certificate file is named Joe_11-22-33-44-55-66.cer.
• Private key (only for single certificate using attributes or bulk certificate requests): A private key for the end entity certificate. If a requester whose user name is Joe submits a request for his device with MAC address (SAN) 11-22-33-44-55-66, the private key file is named Joe_11-22-33-44-55-66.key.
• Certificate chain: All the certificates in the certificate chain leading up to the root CA for the Cisco ISE internal CA.
• For the end entity to trust the Cisco ISE server during EAP-TLS authentication, one of these files are present in the zip file:
  • EAP certificate chain (if the Cisco ISE server certificates are signed by an external CA)
  • Cisco ISE self-signed certificate (if the Cisco ISE server uses a self-signed certificate for server authentication)

After downloading the certificate zip file to your local system:

1. Import the certificates to the keystore of the client device. If you submitted a bulk certificate request, copy the appropriate end entity certificate and private key to the device with the matching MAC address (based on the SAN).
2. Modify your wireless or wired settings to use EAP-TLS based authentication and select the end entity certificate.
3. Connect the device to the network. The authentication should pass.

• Invalid request - The given CSR has a CN that does not match the provided user name, and that user does not have ERS Admin This error message appears because the CN value in the request does not match the requester user name. The CN must match the user name of the user who is requesting the certificate. This check ensures that users do not request certificates for someone else. However, a user who belongs to the ERS Admin Group (an admin user) can request certificates for other users, and the CN does not have to match the admin user's user name. Workaround: Resubmit the request with your user name in the Common Name field.
• The given CN is invalid. Cannot contain [] " : ; | = , + * ? < > characters This error message appears when invalid characters are present in the CN. Invalid characters include [ ] " : ; | = , + * ? < >. These characters are not allowed in an Active Directory user name; they must not appear in the CN. Workaround: Resubmit the request with a valid CN.
• Invalid MAC address This error appears because the MAC address is invalid. A MAC address must be of the form 11-11-11-11-11-11, 11:11:11:11:11:11, 1111.1111.1111, 111111.111111, 111111111111. Apart from the delimiters -, :, and ., the MAC address can only contain numbers 0 through 9 and letters A through F. Workaround: Provide the MAC address in a supported format and resubmit the request.
• CA server error - Certificate request to internal CA failed CN This error indicates a general failure with the Cisco ISE internal CA. Workaround: Resubmit the request. If requests continue to fail, contact your administrator.
• ISE server error - The given CSR text is malformed This error message appears because the CSR is not in a valid PEM format. Workaround: Provide the CSR in a valid PEM format.
• Invalid request - The given CSR has an OU RDN that does not match what is defined in the provided Certificate Template This error message appears because the OU RDN (or the RDN listed in the error message) does not match with what is provided in the certificate template. Workaround: Contact your administrator to determine what RDN values to use in the CSR.
• There are more than the maximum allowed entries in this CSV. Maximum is 500 This error message appears because the CSV file that you provided has more than 500 entries. Workaround: Divide the CSV file into multiple CSV files with no more than 500 entries in each file. Submit the CSV files for bulk certificate request, one file at a time. Proceed with the next request after the previous one is complete.
• There are either missing or extra columns in the CSV file. Please stick to the template This error message appears because the CSV file is formatted incorrectly. Workaround: Ensure that each entry has values for two fields; a CN and a SAN provided for every entry. The SAN should be a MAC address. Resubmit the request.