ArubaOS and Controllers

Reply
Frequent Contributor I
Posts: 98
Registered: ‎08-19-2008

Thawte server certificate issue

I am installing new server certs on two new local controllers we deployed (for the captive portal). But when connecting to the captive portal I see the error message for an untrusted CA (“The security certificate presented by this website was not issued by a trusted certificate authority”). When digging in a bit I realized the new certs are signed by Thawte SSL CA while the old ones (Master controllers) are signed by Thawte Premium Server CA. Thawte Premium Server CA is pre-populated by default in most common browsers, Thawte SSL CA is not, therefore you get the error/warning message. You can manually add this CA to users’s browsers, but the goal of the certs by an already populated trusted CA was to avoid this process.

I think this is an issue with Thawte migration of root certs from 1024 to 2048 bits:
“Only SSL123 certificates and Web Server Certificates are still issued as “unchained”, i.e. the certificates are issued directly by an online root. All Thawte SSL and Code Signing certificates issued after this root migration will be signed by an intermediate certificate that chains to a secure off line Root CA."
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=AD221

Looks like now we will need Intermediate CAs imported into the controller, which I did from here:
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=AR1374

I tried bundle, primary and intermediate separate, adding the bundle trusted CA cert onto the server cert, and moving the order of the certs on the controller. Still get the same error and cert shows issued by Thawte SSL CA. Seems I can’t get the certs to reference each other.
Any ideas?
Thanks you!
Marcelo Lew
Wireless Network Architect-Engineer
University of Denver
Contributor I
Posts: 50
Registered: ‎04-29-2008

Re: Thawte server certificate issue


I am installing new server certs on two new local controllers we deployed (for the captive portal). But when connecting to the captive portal I see the error message for an untrusted CA (“The security certificate presented by this website was not issued by a trusted certificate authority”). When digging in a bit I realized the new certs are signed by Thawte SSL CA while the old ones (Master controllers) are signed by Thawte Premium Server CA. Thawte Premium Server CA is pre-populated by default in most common browsers, Thawte SSL CA is not, therefore you get the error/warning message. You can manually add this CA to users’s browsers, but the goal of the certs by an already populated trusted CA was to avoid this process.

I think this is an issue with Thawte migration of root certs from 1024 to 2048 bits:
“Only SSL123 certificates and Web Server Certificates are still issued as “unchained”, i.e. the certificates are issued directly by an online root. All Thawte SSL and Code Signing certificates issued after this root migration will be signed by an intermediate certificate that chains to a secure off line Root CA."
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=AD221

Looks like now we will need Intermediate CAs imported into the controller, which I did from here:
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=AR1374

I tried bundle, primary and intermediate separate, adding the bundle trusted CA cert onto the server cert, and moving the order of the certs on the controller. Still get the same error and cert shows issued by Thawte SSL CA. Seems I can’t get the certs to reference each other.
Any ideas?
Thanks you!




I've played this game due to cheap bosses. I found this:

https://www.thesslstore.com/rapidssl/rapidssl-certificates.aspx

Root certs for $17.95

No intermediates, works flawlessly. They actually sell other company's certs.

Make sure the csr includes whatever name you are going to display in the browser. The OS will display something else if you don't....
Search Airheads
Showing results for 
Search instead for 
Did you mean: