Wireless Access

last person joined: 13 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Error Uploading Certificate: CertMgr error.

This thread has been viewed 16 times

  • 1.  Error Uploading Certificate: CertMgr error.

    Posted May 31, 2018 09:59 PM

    I am having an issue uploading a server certificate to an Aruba Controller using the WebGUI. I have successfully uploaded the Intermediate and Trusted CA certificates. When I try to upload the server certificate in p12, PEM, or DER format and I get the following error message:

     

    Error Uploading Certificate: CertMgr error.

     

    When I check the logs, I get the following:

     

    Jun 1 00:56:45 webui[3833]: USER:admin@192.168.0.143 COMMAND:<crypto-local pki ServerCert "wmc01.contoso.com" "wmc01.contoso.com-cfssl.p12" > -- command executed successfully
    Jun 1 00:58:14 webui[3833]: USER:admin@192.168.0.143 COMMAND:<crypto-local pki ServerCert "wmc01.contoso.com" "wmc01.contoso.com.crt.pem" > -- command executed successfully
    Jun 1 01:11:14 webui[3833]: USER:admin@192.168.0.143 COMMAND:<crypto-local pki ServerCert "wmc01.contoso.com" "wmc01.contoso.com.der" > -- command executed successfully
    Jun 1 01:15:00 webui[3833]: USER:admin@192.168.0.143 COMMAND:<crypto-local pki ServerCert "wmc01.contoso.com" "wmc01.contoso.com.crt.pem" > -- command executed successfully

     

    I have used the same CA to generate server certs for all of my other servers and appliances, including Aruba Clearpass. I changed all of those certificates successfully. This is the only device that won't accept the server certificate. I have had the admin of the CA generate me the certificate again just to make sure and I get the same error. 

     

    Any suggestions?



  • 2.  RE: Error Uploading Certificate: CertMgr error.

    EMPLOYEE
    Posted Jun 01, 2018 03:15 AM

    It may help to check this ASE solution to get the right commands to create the p12.

     

    There is no need to upload the root/intermediates into the controller, unless you do TLS client authentication on the controller (instead of on an external RADIUS like ClearPass, which is recommended). You will need to have the intermediates included in the p12 though.

     

    What may help is opening/installing the p12 in Windows to see if everything is in and if it opens correctly with the passphrase that you have.



  • 3.  RE: Error Uploading Certificate: CertMgr error.

    Posted Jun 01, 2018 07:56 PM


    I opened the p12 file using certutil and it looks ok:

     

    D:\>certutil -dump wmc01.contoso.com-cfssl.p12
    Enter PFX password:
    ================ Certificate 0 ================
    ================ Begin Nesting Level 1 ================
    Element 0:
    Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Issuer: CN=CONTOSO Corp Root CA, O=CONTOSO Corp, C=US
    NotBefore: 5/9/2018 7:57 PM
    NotAfter: 5/6/2028 7:57 PM
    Subject: CN=CONTOSO Corp Root CA, O=CONTOSO Corp, C=US
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Cert Hash(sha1):xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    ---------------- End Nesting Level 1 ----------------
    No key provider information
    Cannot find the certificate and private key for decryption.
    ================ Certificate 1 ================
    ================ Begin Nesting Level 1 ================
    Element 1:
    Serial Number:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Issuer: CN=CONTOSO Corp Root CA, O=CONTOSO Corp, C=US
    NotBefore: 5/9/2018 7:58 PM
    NotAfter: 5/8/2023 7:58 PM
    Subject: CN=CONTOSO Server Intermediate Root CA, O=CONTOSO Corp, C=US
    Non-root Certificate
    Cert Hash(sha1):xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    ---------------- End Nesting Level 1 ----------------
    No key provider information
    Cannot find the certificate and private key for decryption.
    ================ Certificate 2 ================
    ================ Begin Nesting Level 1 ================
    Element 2:
    Serial Number:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Issuer: CN=CONTOSO Server Intermediate Root CA, O=CONTOSO Corp, C=US
    NotBefore: 5/31/2018 3:52 PM
    NotAfter: 5/30/2023 3:52 PM
    Subject: CN=wmc01.contoso.com, OU=CONTOSO Server, O=CONTOSO Corp, L=Fremont, S=California, C=US
    Non-root Certificate
    Cert Hash(sha1):xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    ---------------- End Nesting Level 1 ----------------
    Provider = Microsoft Enhanced Cryptographic Provider v1.0
    Encryption test passed
    CertUtil: -dump command completed successfully.

     

    I also installed it on my Windows 10 laptop, and it installed the certificate in my Personal store with the "Intended Purposes" of Client Auth and Server Auth.

     

    I checked out the ASE link, and that seems to be applicable to certificates generated using a CSR. The certificate I am using was not generated by a csr and comes from an internal CA. Does the controller accept certificates generated without a CSR?

     

    Based on the ASE, it looks like it wants a certificate in the following format:

     

    -----BEGIN RSA PRIVATE KEY-----
    to (including):
    -----END CERTIFICATE-----


    None of my certificates start with


    -----BEGIN RSA PRIVATE KEY-----


    Usually -----BEGIN CERTIFICATE----- or -----BEGIN PRIVATE KEY----- and none of them have 


    to (including):


    Is that a problem?



  • 4.  RE: Error Uploading Certificate: CertMgr error.

    EMPLOYEE
    Posted Jun 04, 2018 04:27 AM

    It's hard to tell from here. If you can share the p12 with key (or another one that you can revoke afterwards) via a PM, I can give it a shot in my lab. Otherwise, please open a TAC case and work with Aruba TAC on this import.