Security

Hi everyone,

I'm trying to setup 2x Clearpass PM 6.0.2 in a cluster so the customer can do onboarding.

Third-party certificate for the guest-part. Trusted and so on.

Using Clearpass Onboard as a Intermediate CA to customers Root CA.

I have for now only tested with iOS devices, and it works fine except for on little thing, when Onboarding the profile is in status Unverified.

So when the customer onboards, they will get an message saying its a Unverified Profile, then they just click Install Now and it works.

I'm using URL's everywhere, no IP adresses.

Can anyone help me out why it gets Unverified?

What is the steps that iOS does to verify?

What do you need to do in the Clearpass environment to get it verified?

"Unverified" means that the iOS device does not trust the certificate that signed the profile.

Onboard will sign the profile using the profile signing certificate that you can see in Onboard » Certificate Management.

From what you have said it sounds like this is issued by the Onboard intermediate CA.  This certificate has been issued by the organization's root CA.  Therefore, the root CA needs to be trusted by the device, or else it will fail to verify the profile.

Try to add the root certificate on the iOS device.  This should be shown as step 1 on the device_provisioning page.

If that is the only thing that is needed, I can't see why iOS says Unverified.

Because the Root CA cert is installed in step 1, just as you are writing.

(That was imported in Certificate Management together with the Intermediate certificate)

And when that is done iOS says that the Root CA cert is Trusted.

The Signing certificate is issued by the Intermediate CA (which is Clearpass Guest).

And that Intermediate CA cert is issued by customers Root CA.

Any other ideas?

So I did some more testing.

I exported the Onboarding Intermediate CA certificate from Clearpass Guest and mailed to my iPhone.

I then opened it (not installing it), it says Trusted right away because the iPhone have trust in the Root CA.

I then exported the profile signing certificate from Certificate Management in Clearpass Guest (which is issued from Onboarding Intermediate CA). Mailed it to my iPhone and opened it, it Says Not Trusted. I look under details for the certificate in the iPhone and it is issued by the Onboarding CA, which my iPhone trust via the Root CA.

How can this be? The signing certificate is automatically generated, right? Nothing I can do anything about...

I also tried to install the Onboarding Intermediate Cert on my iPhone, although it shouldn't matter, and it didn't. The Profile signing certificate is still Not Trusted.

What iOS version are you testing with?

If you are familiar with the 'openssl verify' command you should be able to construct the trust chain yourself and verify that the profile signing certificate is actually trusted up to the expected root CA.

If you aren't familiar with this, perhaps you could attach the relevant certificates here (root CA, intermediate CA and the profile signing certificate) and we can try to help you on the forum...

Haven't used the verify before, but I do have openssl installed so tried it (hopefully I got it right).

I took the root ca and intermediate ca cert and created a pem with both included, s-root-ca_plus_onboard.pem.

Then I have the signing certificate in a seperate pem file, s-profile_signing.pem.

I issued the following command (let me know if I'm doing it wrong);

openssl verify -verbose -CAfile s-root-ca_plus_onboard.pem s-profile_signing.pem

and got the following input;

s-profile_signing.pem: OK

Tried with iOS 6.0.1 and iOS 6.0.2. The same devices have been Onboarded on other customer sites, without this error.