Wireless Access

Reply
Occasional Contributor II

Error Uploading Certificate: CertMgr error.

I am having an issue uploading a server certificate to an Aruba Controller using the WebGUI. I have successfully uploaded the Intermediate and Trusted CA certificates. When I try to upload the server certificate in p12, PEM, or DER format and I get the following error message:

 

Error Uploading Certificate: CertMgr error.

 

When I check the logs, I get the following:

 

Jun 1 00:56:45 webui[3833]: USER:admin@192.168.0.143 COMMAND:<crypto-local pki ServerCert "wmc01.contoso.com" "wmc01.contoso.com-cfssl.p12" > -- command executed successfully
Jun 1 00:58:14 webui[3833]: USER:admin@192.168.0.143 COMMAND:<crypto-local pki ServerCert "wmc01.contoso.com" "wmc01.contoso.com.crt.pem" > -- command executed successfully
Jun 1 01:11:14 webui[3833]: USER:admin@192.168.0.143 COMMAND:<crypto-local pki ServerCert "wmc01.contoso.com" "wmc01.contoso.com.der" > -- command executed successfully
Jun 1 01:15:00 webui[3833]: USER:admin@192.168.0.143 COMMAND:<crypto-local pki ServerCert "wmc01.contoso.com" "wmc01.contoso.com.crt.pem" > -- command executed successfully

 

I have used the same CA to generate server certs for all of my other servers and appliances, including Aruba Clearpass. I changed all of those certificates successfully. This is the only device that won't accept the server certificate. I have had the admin of the CA generate me the certificate again just to make sure and I get the same error. 

 

Any suggestions?

Re: Error Uploading Certificate: CertMgr error.

It may help to check this ASE solution to get the right commands to create the p12.

 

There is no need to upload the root/intermediates into the controller, unless you do TLS client authentication on the controller (instead of on an external RADIUS like ClearPass, which is recommended). You will need to have the intermediates included in the p12 though.

 

What may help is opening/installing the p12 in Windows to see if everything is in and if it opens correctly with the passphrase that you have.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor II

Re: Error Uploading Certificate: CertMgr error.


I opened the p12 file using certutil and it looks ok:

 

D:\>certutil -dump wmc01.contoso.com-cfssl.p12
Enter PFX password:
================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Element 0:
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Issuer: CN=CONTOSO Corp Root CA, O=CONTOSO Corp, C=US
NotBefore: 5/9/2018 7:57 PM
NotAfter: 5/6/2028 7:57 PM
Subject: CN=CONTOSO Corp Root CA, O=CONTOSO Corp, C=US
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1):xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
---------------- End Nesting Level 1 ----------------
No key provider information
Cannot find the certificate and private key for decryption.
================ Certificate 1 ================
================ Begin Nesting Level 1 ================
Element 1:
Serial Number:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Issuer: CN=CONTOSO Corp Root CA, O=CONTOSO Corp, C=US
NotBefore: 5/9/2018 7:58 PM
NotAfter: 5/8/2023 7:58 PM
Subject: CN=CONTOSO Server Intermediate Root CA, O=CONTOSO Corp, C=US
Non-root Certificate
Cert Hash(sha1):xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
---------------- End Nesting Level 1 ----------------
No key provider information
Cannot find the certificate and private key for decryption.
================ Certificate 2 ================
================ Begin Nesting Level 1 ================
Element 2:
Serial Number:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Issuer: CN=CONTOSO Server Intermediate Root CA, O=CONTOSO Corp, C=US
NotBefore: 5/31/2018 3:52 PM
NotAfter: 5/30/2023 3:52 PM
Subject: CN=wmc01.contoso.com, OU=CONTOSO Server, O=CONTOSO Corp, L=Fremont, S=California, C=US
Non-root Certificate
Cert Hash(sha1):xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
---------------- End Nesting Level 1 ----------------
Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -dump command completed successfully.

 

I also installed it on my Windows 10 laptop, and it installed the certificate in my Personal store with the "Intended Purposes" of Client Auth and Server Auth.

 

I checked out the ASE link, and that seems to be applicable to certificates generated using a CSR. The certificate I am using was not generated by a csr and comes from an internal CA. Does the controller accept certificates generated without a CSR?

 

Based on the ASE, it looks like it wants a certificate in the following format:

 

-----BEGIN RSA PRIVATE KEY-----
to (including):
-----END CERTIFICATE-----


None of my certificates start with


-----BEGIN RSA PRIVATE KEY-----


Usually -----BEGIN CERTIFICATE----- or -----BEGIN PRIVATE KEY----- and none of them have 


to (including):


Is that a problem?

Re: Error Uploading Certificate: CertMgr error.

It's hard to tell from here. If you can share the p12 with key (or another one that you can revoke afterwards) via a PM, I can give it a shot in my lab. Otherwise, please open a TAC case and work with Aruba TAC on this import.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: