Controllerless Networks

last person joined: 2 hours ago 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

How to upload several Intermediate CA certificate

  • 1.  How to upload several Intermediate CA certificate

    Posted 7 days ago
    Hi everyone,

    we´re setting up a new Guest Access with ClearPass (v6.9.2). Everything is working fine, except for one thing: On MacBooks the CaptivePortal login isn´t trusted.
    The certificate is a public certificate. I´ve uploaded the Intermediate CA and the root CA to ClearPass, and the CP certificate includes the entire chain.
    I´ve also uploaded the CP certificate to our IAPs (IAP335 and IAP305) (using AirWave v8.2.11.2).
    How can I upload the Intermediate CA and the root CA? In AirWave i can only choose one Intermediate CA, but in our internal WLAN we use a different Intermediate CA. So how can I upload a second intermediate and a second root to the IAPs?

    Kind regards
    Matthias

    ------------------------------
    Matthias Pohl
    ------------------------------


  • 2.  RE: How to upload several Intermediate CA certificate

    Posted 6 days ago
    Let's split this in ClearPass and APs:
    - ClearPass works fine from what I read
    - Captive portal certificate upload to APs is where you have questions around.
    Correct?

    I assume that you have a different certificate for your APs and for ClearPass, or multi-SAN/wildcard to avoid name collision between CPPM and AP.

    There is no need to upload the root as part of your chain. The root certificate should already be in your client device, and while sending the root as part of the chain is shown in some examples on the internet, it is deprecated to do so as it does not add any value but increases your overhead.

    What kind of certificate do you have that has multiple intermediates? That is pretty rare. I can't remember having seen that before. For the APs, you create a PEM file with your cert, then the intermediates up to the root (root excluded).

    What you could do on your MAC is using the browser to check the certificate and chain, or openssl:
    openssl s_client -showcerts -servername www.example.com -connect www.example.com:443​


    That will display all certificates sent by the server, and also the trust status according to your MAC.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: How to upload several Intermediate CA certificate

    Posted 6 days ago
    Correct, ClearPass works fine.


    We use a wildcard certificate for HTTPS Server Certificate. Imported it via ClearPass GUI. This wildcard certificate is also used in IAPs as CaptivePortal Cert. I´ve uploaded the cert to AirWave and set it as Captive Portal Cert.
    I can connect to our Guest-WLAN without problem with all devices, except MacBooks.
    After logging in I get a certificate warning:


    The openssl command creates the following output:

    openssl s_client -showcerts -servername clearpass.opitz-consulting.com -connect clearpass.opitz-consulting.com:443

    CONNECTED(00000005)

    depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2

    verify return:1

    depth=1 C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1

    verify return:1

    depth=0 C = DE, ST = Nordrhein-Westfalen, L = Gummersbach, O = OPITZ CONSULTING Deutschland GmbH, CN = *.opitz-consulting.com

    verify return:1

    ---

    Certificate chain

     0 s:/C=DE/ST=Nordrhein-Westfalen/L=Gummersbach/O=OPITZ CONSULTING Deutschland GmbH/CN=*.opitz-consulting.com

       i:/C=US/O=DigiCert Inc/CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1

    -----BEGIN CERTIFICATE-----

    .
    .

    -----END CERTIFICATE-----

     1 s:/C=US/O=DigiCert Inc/CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1

       i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2

    -----BEGIN CERTIFICATE-----

    .
    .
    .

    -----END CERTIFICATE-----

     2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2

       i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2

    -----BEGIN CERTIFICATE-----

    .
    .
    .

    -----END CERTIFICATE-----

    ---

    Server certificate

    subject=/C=DE/ST=Nordrhein-Westfalen/L=Gummersbach/O=OPITZ CONSULTING Deutschland GmbH/CN=*.opitz-consulting.com

    issuer=/C=US/O=DigiCert Inc/CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1

    ---

    No client certificate CA names sent

    Server Temp Key: ECDH, P-256, 256 bits

    ---

    SSL handshake has read 4588 bytes and written 361 bytes

    ---

    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

    Server public key is 2048 bit

    Secure Renegotiation IS supported

    Compression: NONE

    Expansion: NONE

    No ALPN negotiated

    SSL-Session:

        Protocol  : TLSv1.2

        Cipher    : ECDHE-RSA-AES256-GCM-SHA384

        Session-ID: A071612C7ECE0B5AD0B3AC1D81A19822439DBD76B5D19687D7311B5410C43F0D

        Session-ID-ctx: 

        Master-Key: 652D72BF95A2941305EFBCA601B90C9F969FCC377D6601B2995DE206F31071451F6478CA00D51A49FA345BDA3AF2FE5B

        TLS session ticket lifetime hint: 300 (seconds)

        TLS session ticket:

        0000 - 25 8e 75 17 7e 7c dc a0-66 e6 b1 0c e8 0c e1 b2   %.u.~|..f.......

        0010 - d9 24 05 f4 b9 1e e1 07-92 59 8e d0 87 b1 e8 b3   .$.......Y......

        0020 - d3 5a cf 3d 55 be 2c dc-a4 eb aa a4 de 67 4b ea   .Z.=U.,......gK.

        0030 - 77 a5 52 86 fc a8 ff 5f-8b 56 d3 10 2a 34 54 f5   w.R...._.V..*4T.

        0040 - cd 53 7b 69 0e 48 f3 62-90 83 25 62 a5 1b d6 d8   .S{i.H.b..%b....

        0050 - 4d 54 4b a9 ff 47 44 b5-d9 05 c1 0d bb d8 79 9d   MTK..GD.......y.

        0060 - 38 b5 bb 47 e1 12 b4 ff-ce ba ac 3b ee 16 43 b0   8..G.......;..C.

        0070 - eb c4 38 90 3c 60 92 60-9d f5 74 36 93 0f 6a 63   ..8.<`.`..t6..jc

        0080 - 4a 3d ce 4e 40 df bc b2-45 f7 84 2e c6 f6 d7 b5   J=.N@...E.......

        0090 - 63 39 55 c9 ff 59 9e cf-1a c7 34 9c c5 e6 c2 eb   c9U..Y....4.....

        00a0 - eb 6c 9f 40 5f 63 e7 48-9f a6 18 66 e9 a1 c4 1b   .l.@_c.H...f....

        00b0 - 00 17 bd cc b9 7a 71 39-e8 5c 51 5a ea 2e 94 9b   .....zq9.\QZ....

        00c0 - d7 f7 58 09 e8 53 4c 1f-cd 56 6c 84 27 33 cf 91   ..X..SL..Vl.'3..

        00d0 - 08 ba 31 42 1b 26 79 a6-74 f9 b2 40 fb f6 bb f3   ..1B.&y.t..@....

     

        Start Time: 1614161421

        Timeout   : 7200 (sec)

        Verify return code: 0 (ok)

    ---

     

    HTTP/1.1 400 Bad Request

    Date: Wed, 24 Feb 2021 10:10:30 GMT

    Server: Apache

    Content-Length: 226

    Connection: close

    Content-Type: text/html; charset=iso-8859-1

     

    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

    <html><head>

    <title>400 Bad Request</title>

    </head><body>

    <h1>Bad Request</h1>

    <p>Your browser sent a request that this server could not understand.<br />

    </p>

    </body></html>

    closed

     



    ------------------------------
    Matthias Pohl
    ------------------------------



  • 4.  RE: How to upload several Intermediate CA certificate

    Posted 6 days ago
    Your ClearPass is fine: Verify return code: 0 (ok).

    If you open a browser to
    clearpass.opitz-consulting.com, I think it will open without any issues.
    The error message you show is about captiveportal-login.opitz-consulting.com.

    The issue seems to be in the certificate on the AP, which is the captiveportal-login. You may have missed an intermediate there.

    Can you open the Trust and Details 'arrows' in the screenshot? And/or run the same openssl command with that captiveportal-login URL while still connected to the captive portal?


    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 5.  RE: How to upload several Intermediate CA certificate

    Posted 6 days ago
    openssl s_client -showcerts -servername captiveportal-login.opitz-consulting.com -connect captiveportal-login.opitz-consulting.com:443
    CONNECTED(00000005)
    depth=0 C = DE, ST = Nordrhein-Westfalen, L = Gummersbach, O = OPITZ CONSULTING Deutschland GmbH, CN = *.opitz-consulting.com
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 C = DE, ST = Nordrhein-Westfalen, L = Gummersbach, O = OPITZ CONSULTING Deutschland GmbH, CN = *.opitz-consulting.com
    verify error:num=21:unable to verify the first certificate
    verify return:1
    ---
    Certificate chain
    0 s:/C=DE/ST=Nordrhein-Westfalen/L=Gummersbach/O=OPITZ CONSULTING Deutschland GmbH/CN=*.opitz-consulting.com
    i:/C=US/O=DigiCert Inc/CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
    -----BEGIN CERTIFICATE-----
    .
    -----END CERTIFICATE-----
    ---
    Server certificate
    subject=/C=DE/ST=Nordrhein-Westfalen/L=Gummersbach/O=OPITZ CONSULTING Deutschland GmbH/CN=*.opitz-consulting.com
    issuer=/C=US/O=DigiCert Inc/CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
    ---
    No client certificate CA names sent
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 2360 bytes and written 371 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 38CA285C277306F20567906077C1B07163E9131ED1A9A0C0DCD5AFB964D1E828
    Session-ID-ctx:
    Master-Key: 4BC27DFEC3FE0B42003FC9071ACABCB997CFAE5C69991DABE4899FA6FE1D986CCAC6A68583781479DDE0AA4959EDBE59
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 92 fc 57 9f 98 5f 89 d4-9e bf c3 64 fa 48 7c b2 ..W.._.....d.H|.
    0010 - a2 9a 9a 57 9f 33 a7 b9-35 96 d7 da 11 34 88 f4 ...W.3..5....4..
    0020 - 68 2d 7c 3d 15 fa cd 81-d1 ca 80 0a 03 be 17 cd h-|=............
    0030 - a0 e0 ff 16 2a c4 91 1a-e2 a4 50 80 58 82 bd 46 ....*.....P.X..F
    0040 - 15 53 f8 07 ad be fa 27-a9 d7 be 6d ec d0 15 e4 .S.....'...m....
    0050 - 4b 8d 81 89 b9 24 42 7a-6d 0d 4c ad 91 10 fc 0b K....$Bzm.L.....
    0060 - e6 37 a5 4c 7d 8e da e3-1a 95 6f fd 21 f4 dc 51 .7.L}.....o.!..Q
    0070 - 7f da 38 09 5f a5 ef 63-10 39 e0 1d 3c a5 09 67 ..8._..c.9..<..g
    0080 - ad e0 88 ad e1 f1 22 f4-fd 80 1b 35 3f 12 71 b2 ......"....5?.q.
    0090 - 45 f5 fa 46 2e d4 c3 74-f4 38 5f 4c 8a 97 f8 2c E..F...t.8_L...,
    00a0 - bd a3 be a5 d7 1d 2b ba-04 a0 9e 59 45 d4 73 50 ......+....YE.sP
    00b0 - d2 32 8a 4f 2a 7e d2 15-07 4d 29 f9 ea 12 96 93 .2.O*~...M).....

    Start Time: 1614163906
    Timeout : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    ---


    (null) 400 Bad Request
    Server:
    Date: Wed, 24 Feb 2021 09:52:15 GMT
    Cache-Control: no-cache,no-store,must-revalidate,post-check=0,pre-check=0
    Content-Type: text/html; charset=utf-8
    X-Frame-Options: SAMEORIGIN
    Strict-Transport-Security: max-age=604800
    Connection: close

    <HTML>
    <HEAD><TITLE>400 Bad Request</TITLE></HEAD>
    <BODY BGCOLOR="#cc9999" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc">
    <H4>400 Bad Request</H4>
    Can't parse request.
    <ADDRESS><A HREF="http://www.arubanetworks.com"></A></ADDRESS>
    </BODY>
    </HTML>
    read:errno=0

    ------------------------------
    Matthias Pohl
    ------------------------------



  • 6.  RE: How to upload several Intermediate CA certificate

    Posted 5 days ago
    You have not included the intermediates in the import of your captive-portal certificate in the AP/Airwave. Check the message 'verify error:num=21:unable to verify the first certificate'

    Please check this post on how to create the chained certificate. I don't think having the intermediates imported in Airwave will automatically chain the certs sent to the APs (but I don't have an Airwave to test at the moment). In the 'root bundle', as mentioned, the root CA should not be there, just intermediates and if there are multiple put them in order from your certificate (immediately after your own certificate in the chained PEM file) towards the intermediate that is right under the root (last, before the private key).

    Some clients cache intermediate certificates that they have seen, apparently MacOS does not (for captive portal usage) which is a design choice I can understand from Apple.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 7.  RE: How to upload several Intermediate CA certificate

    Posted yesterday
    Hi Herman,

    I´ve recreated the certificate and now everything works fine! Thx for your support!

    Kind regards
    Matthias

    ------------------------------
    Matthias Pohl
    ------------------------------