10-21-2014 09:15 AM
Question regarding the CPPM certificate installation.
We are using CPPM for 802.1x authentication. As the self-signed certificate is about to expire soon we are planning to replace it with a public certificate signed by a CA (globalsign). When we have tested this over the weekend, we found the client machines were prompted to click "connect" or "accept" on windows and iPhone respectively. There are couple of questions that I have,
1. Do we get this one time popup even for the signed public certificate? Is there a way to avoid this?
2. One thing that I observed was, though the public certificate was listed in the trust list (Administration -> Certificates -> Trust List) on CPPM but it was not enabled. Do we have to enable it? Does this have anything to do with the prompt we got as explained above? Also do we have to add any intermediate certificate to the trust list and enable them as well?
Please let me know if you need more information.
Any suggestions would be greatly appreciated.
Solved! Go to Solution.
10-21-2014 09:27 AM - edited 10-21-2014 09:28 AM
The certificate prompt on clients is a normal part of the 802.1X/EAP process. The dialog box is asking the user if they trust the authentication server to take their credentials for that particular network. The only way to bypass the prompt is to pre-configure clients using a management tool like Group Policy/Profile Manager or BYOD tools like QuickConnect or Onboard.
While that error doesn't have anything to do with the CP trust list, you should enable the entire trust chain anyway.
10-21-2014 09:39 AM
Thanks for the quick response. You have answered my question.
One more thing that concerned me was, when it prompts on iPhones it reads as :Not Verified" in red. any idea why this would happen.
Also, what would happen if I donot enable it in the trust list? I was still able to connect.
10-21-2014 09:41 AM - edited 10-21-2014 09:42 AM
Not Verified just means that the server's certificate has not been pre-trusted for connection to the network. This is normal for the first time a user connects.
You likely have enabled the Root or intermediate CA that signed the public certificate which is fine.
10-21-2014 11:39 AM
I have just checked CPPM, most of the certs on Trust List are disabled except a very few which are enabled. Out of which Global sign is disabled.
|C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA||valid||Disabled|
10-21-2014 11:42 AM
10-21-2014 11:50 AM
Yes, If I am getting this right, when I go to the Server Certificates under certificates menu on CPPM, I did see server cert, intermediate cert and the root ca cert. Is this what you are refering to?