Security

Im trying to upload a new ssl wildcard https server cert as our runs out in a week or so, and keep getting this error:

 

Certificate chain is invalid. The expected order is Policy Manager Server, Sub CA and Root CA certificates

 

The cert is from digicert, and both te root and intermediate certs are already installed and expire in 2031 and 2023 respectively.  Ive also been on the digicert website and verified that the serial of the installed ones matches the currently available ones.  So I was hoping I could simply import a new cert... 

 

The format of the cert is a pfx and I have used openssl to extract both the key and the cert, and tried to import them, and get presented with tte above error.  

 

Based on the error, I assume the system is confirming that the installed root and intermed certs do not match the issued cert?  Yet they seem to have been fine the last couple of years, and the certs on digicert website seem to match what we have installed.

 

I dont know anything about certs, and find it all a bit mind boggling.. 

 

Can anyone pont me in the right direction?

 

Cheers

What are you trying to import the certificate into?  Controller, IAP, ClearPass?

It was the Clearpass https server cert.. but after several attempts, and extractions.. managed to find the right combo that worked.

I think the pfx file we had incorporated several certs, so I had to split them and import them, and that did the trick!

Thanks anyway


********************************************************************************************************************

Disclaimer
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.
Any views or opinions presented are solely those of the author and do not necessarily represent those of the Trust unless explicitly stated otherwise.
If you have received this e-mail in error please delete it and contact the University Hospital Southampton NHS Foundation Trust Helpdesk on:- 023 8120 6000
The information contained in this e-mail may be subject to public disclosure under the Freedom of Information Act 2000.
Unless the Information is legally exempt from disclosure, the confidentiality of this e-mail and your reply cannot be guaranteed.
This footnote also confirms that this email message has been checked for computer viruses.
Please visit our website at http://www.uhs.nhs.uk

Think of the environment. Please avoid printing this e-mail unnecessarily.

Hi All

 

PLease could someone explain how to import the cert correctly , i see you had to split up the certs to import it , would you be able to explain what you had to do to get it working , i have the exact same issue trying to import a wildcard cert for Guest SSL

svenables,

 

Which product are you using and what type of certificate?  Please be specific.

Hi

 

Follow this old thread of mine

 

http://community.arubanetworks.com/t5/Network-Management/Analytics-amp-Location-Engine-how-upload-SSL-Certificate/td-p/293549/page/2

 

certificate chain should be intact and is same for all the devices, it should be in proper order to work.

 

I had the same issue renewing a wildcard cert in Aruba ClearPass.

Step 1. Installed Cygwin and OpenSSL on Windows 10

Step 2. Extracted the Private key and PublicKey chain
openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.crt
openssl pkcs12 -in yourP12File.pfx -nokeys -out PublicKey.pem

Step 3. In the Aruba ClearPass Policy Manager. In the Menu Administration > Certificates > Trust List the DigiCert Global Root was disabled, the Root Cert has been enabled.

Step 4. The RapidSSL TLS DV RSA Mixed SHA256 2020 CA intermedaite was missing and had to be manually added.

Step 5. Certificate Chain Order
The certificate chain PEM file had to be manually altered as the order was Public Key, Root CA and then Sub CA.
I had to open up the PublicKey.pem file and copy and past the last cert and paste in as the second entry in the file. I used Notepad++ to edit the PEM file.

Step 6. Uploaded new wildcard certificate worked as expected.

------------------------------
Jeremy Gowland
------------------------------

Original Message:
Sent: Apr 25, 2018 07:08 AM
From: Pavan Arshewar
Subject: Importing a new https ssl cert... problems.

Hi

 

Follow this old thread of mine

 

http://community.arubanetworks.com/t5/Network-Management/Analytics-amp-Location-Engine-how-upload-SSL-Certificate/td-p/293549/page/2

 

certificate chain should be intact and is same for all the devices, it should be in proper order to work.

 

I had the same issue renewing a wild card certificate in Aruba ClearPass 6.6

Step 1. Installed Cygwin and OpenSSL on Windows 10

Step 2. Extracted the Private key and PublicKey chain
openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.crt
openssl pkcs12 -in yourP12File.pfx -nokeys -out PublicKey.pem

Step 3. In the Aruba ClearPass Policy Manager. In the Menu Administration > Certificates > Trust List the DigiCert Global Root was disabled, the Root Cert has been enabled.

Step 4. The RapidSSL TLS DV RSA Mixed SHA256 2020 CA intermedaite was missing and had to be manually added.

Step 5. Certificate Chain Order
The certificate chain PEM file had to be manually altered as the order was Public Key, Root CA and then Sub CA.
I had to open up the PublicKey.pem file and copy and past the last cert and paste in as the second entry in the file. I used Notepad++ to edit the PEM file.

Step 6. Uploaded new wildcard certificate worked as expected.

------------------------------
Jeremy Gowland
------------------------------

Original Message:
Sent: Sep 09, 2016 07:52 AM
From: Darren Rigby
Subject: Importing a new https ssl cert... problems.

Im trying to upload a new ssl wildcard https server cert as our runs out in a week or so, and keep getting this error:

 

Certificate chain is invalid. The expected order is Policy Manager Server, Sub CA and Root CA certificates

 

The cert is from digicert, and both te root and intermediate certs are already installed and expire in 2031 and 2023 respectively.  Ive also been on the digicert website and verified that the serial of the installed ones matches the currently available ones.  So I was hoping I could simply import a new cert... 

 

The format of the cert is a pfx and I have used openssl to extract both the key and the cert, and tried to import them, and get presented with tte above error.  

 

Based on the error, I assume the system is confirming that the installed root and intermed certs do not match the issued cert?  Yet they seem to have been fine the last couple of years, and the certs on digicert website seem to match what we have installed.

 

I dont know anything about certs, and find it all a bit mind boggling.. 

 

Can anyone pont me in the right direction?

 

Cheers