Security

Reply
New Contributor
Posts: 2
Registered: ‎03-01-2016

Apple OSX El Capitan Prompting to Trust Certificate repeatedly

Hello all,

 

First time posting here, but I've encountered a problem that I can't find anywhere else out there.  So it would seem to be unique to my instance, but I'm still hoping someone may have some insight.

 

Essentially, when users connect from a Mac running El Capitan (10.11), the first time they connect, they are prompted to trust the certificate.  Obviously, this is normal behaviour, they click trust and it puts it into the certificate chain.

 

However, every time they connect, they still receive the message to check the certificate and to continue. While it doesn't prevent them from connecting, it is an extra step that has become quite annoying to our users.  It doesn't impact mobiles or windows devices, just the Mac's running the latest OS.

 

Our certificate has been loaded both as just the leaf as well as the full chain.  The root certificate is in the normal OSX System Roots already as well.

 

One thing we believe may be related is that we use a CN common across all of our clearpass devices, with SAN that has the more specific information for each of the boxes.  Example: CN = clearpass.domain with SAN = site1-clearpass.domain.

 

Any thoughts or recommendations would be appreciated.  Another note is that we are using EV certificates and while we don't believe this should have any impact, we would appreciate knowing if anyone else is using an EV cert without any issues.

 

Regards,

 

Kevin

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Apple OSX El Capitan Prompting to Trust Certificate repeatedly

If you manually change the cert to full trust in keychain, does the problem go away? 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 2
Registered: ‎03-01-2016

Re: Apple OSX El Capitan Prompting to Trust Certificate repeatedly

Unfortunately, no. I've set the cert, the intermediate and the root all to fully trusted for all things and it still doesn't go away.

Search Airheads
Showing results for 
Search instead for 
Did you mean: