[c-nsp] Cisco ISE cannot create a CSR in X.509 valid format (Bug ID: CSCtu03384)

Peter Rathlev peter at rathlev.dk
Tue Jul 23 16:05:12 EDT 2013

On Tue, 2013-07-23 at 11:10 +0200, Manu Chao wrote:
> I need openssl assistance since Cisco ISE cannot generate a CSR in
> X.509 format.
> I get both .pem and .pvk files from Cisco ISE export.

OpenSSL 1.0.1e seems to support PVK files; the 1.0.0e version from
Fedora 17 does not. To convert you PVK file to something that can be
used by "openssl req":

  openssl rsa -in keyfile.pvk -inform pvk -out private-key.pem

After this you can use the regular OpenSSL commands:

  openssl req -new -key private-key.pem -out request.csr

If you need anything special like subjectAltName or extensions in your
certificate you need to supply a custom configuration file. Take a look
at "man 5 config" for details on the configuration file syntax.

This might be worth a read:



More information about the cisco-nsp mailing list